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FOREWORD 


The prospect of undertaking a reusable launch vehicle development led the NASA 
Office of Manned Space Flight (OMSF) to request the Office of Advanced Research and 
Technology (OART) to organize and direct a program to develop the technology that 
would aid in selecting the best system alternatives and that would support the ultimate 
development of an earth-to-orbit shuttle. Such a Space Transportation System Tech- 
nology Program has been initiated. OART, OMSF, and NASA Flight and Research 
Centers with the considerable inputs of Department of Defense personnel have generated 
the program through the efforts of several Technology Working Groups and a Technology 
Steering Group. Funding and management of the recommended efforts is being accom- 
plished through the normal OART and OMSF line management channels. The work is 
being done in government laboratories and under contract with industry and universities. 
Foreign nations have been invited to participate in this work as well. 

The Space Transportation System Technology Symposium held at the NASA Lewis 
Research Center, Cleveland, Ohio, July 15-17, 1970, was the first public report on 
the program. The symposium on which this publication is based was held at Pheonix, 
Arizona during the week of March 15, 1971 and was the second report in the areas of 
Biotechnology as well as Operations, Maintenance, and Safety. The Symposium goals 
are to consider the technology problems, their status, and the prospective program out- 
look for the benefit of the industry, government, university, and foreign participants 
considered to be contributors to the program. In addition, they offer an opportunity to 
identify the responsible individuals engaged in the program. The Symposium sessions 
are intended to confront each presenter with his technical peers as listeners. 

Because of the high interest in the material presented, and also because the people 
who could edit the output are already deeply involved in other important tasks, we have 
elected to publish the material essentially as it was presented, utilizing mainly the illus- 
trations used by the presenters along with brief words of explanation. Those who heard 
the presentations, and those who are technically astute in specialty areas, can probably 
put this story together again. We hope that more will be gained by compiling the informa- 
tion in this form now than by spending the time and effort to publish a more finished com- 
pendium later. 


A. 0. Tischler 
Chairman, 

Space Transportation System 
Technology Steering Group 
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INTRODUCTORY PAPER 

SPACE SHUTTLE OPERATIONS, MAINTENANCE 
AND TECHNOLOGY INTEGRATION 

C. C. Gay, Jr. 

Director, Systems Engineering, Space Shuttle Program Office, 
NASA Headquarters, Washington, D.C. 


INTRODUCTION 

As the subject of this paper implies, we on the Space Shuttle program have a 
unique opportunity to build and operate the "707" of space transportation systems. The 
idea of a two stage fully reusable aircraft/spacecraft system is not new. Over a decade 
ago, NASA had accomplished this feat by mating the X-15 with its booster, the B-52 
as shown in Figure 1. By using this method, NASA was able to mate, fuel the X-15 
with hydrogen-peroxide, man the system, launch and fly 199 flights up to altitudes of 
354,200 feet and speeds up to mach 6.7 and recover both stages in a safe efficient 
manner. The technology requirements for facilities, operational support, logistics impli- 
cations, crew and passenger mix, mission capability, maintenance and checkout opera- 
tions, and abort and recovery operations are overviewed in this paper. 

PROGRAM REQUIREMENTS 
THAT EFFECT OPERATIONAL TECHNOLOGY 

At this point in time, the Shuttle program is in the preliminary design phases of the 
selected configurations preparing for the 9 month technical "data dump." Figures 2 and 
3 show examples of the selected configuration. Figure 4 shows’ the current schedule 
and how the phase B Shuttle activity phases with phase C/D Shuttle engine development 
and technology activities. As phase B activities have progressed, operational require- 
ments have been refined to the point where Shuttle vehicle and engine configurations and 
sizing have been determined. Figure 5 shows the main engine characteristics currently 
in phase C design. Concurrently with the above activities the wind tunnel programs at the 
various government and contractor facilities are continuing to verify the design and con- 
figurations selected. 

With the "honed down" requirements emerging from phase B trade study activities, 
the third round of Shuttle program iterations can begin. NASA expects to start phase C 
design work in FY 1972. 


FACILITIES 

Shuttle missions, present programs, cost and safety requirements shape and form 
the total Shuttle facility framework. Figure 6 shows a conceptual Shuttle operational 
area. The ideal situation for the Shuttle would be to have an optimum positioning of the 
final assembly, horizontal and vertical flight test, maintenance and launch areas of the 
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Shuttle booster and orbiter vehicles with as little new construction of facilities as possi- 
ble. This, of course, has been and is an important trade study. So important in fact, 
that it can be a significant cost factor in design of the vehicles. The total integration 
of all phases of Shuttle facilities requires that test and operations technology be inte- 
grated at an early date into Shuttle vehicle and test design. 

SAFETY 

Underlying the total Shuttle and facility design effort is the element of safety. A 
major requirement for the Shuttle is airline type flight operations and that means intact 
abort with the crew and passengers. Another major requirement is that the Shuttle have 
a once around abort to continental United States capability and a possible return to base. 
Depending on launch site location and mission inclinations, aborts downrange vs aborts 
to orbit are also being considered. This means that over-flight of populated areas have 
to be considered as well as low ascending flights over foreign territories. To forestall 
actual aborts theSpace Shuttle vehicle is being designed with very high safety standards. 
Standards that are similar to SST levels, in general, fail operational/fail safe concepts 
are used for the structural portions of the vehicle while fail operational/fail operational/ 
fail safe is being designed into Shuttle avionics systems. Ground support systems should 
also match these guidelines so that the total system conforms to the desired safety level . 
Also of concern is determining how to advance Apollo pre-launch and launch operations 
technology from an R&D activity occuring two times a year to a routine once a week air- 
line type activity. NASA has a major requirement to safely fuel the Shuttle vehicles 
with approximately 3.6 million pounds of cryogenic propellant within two (2) hours. This 
is a result of an important space rescue requirement. Further, in a normal mission, 
launch and flight operations are now concerned with handling semi-trained passenger- 
scientist/technicians in a safe expedient manner. This means some kind of standard 
operational-safety training for some yet undetermined time prior to a launch to assure 
passenger suitability for space travel. NASA currently has safety technology studies in 
work. Some of these technology studies are: Liquid propellant; Explosion analysis; 
Space Shuttle safety and operations margins engineering analysis; Launch azimuth abort 
and safety; Hydrogen filled system safety; Spacecraft fire protection; Hydrogen fire detec- 
tion system, etc. 


LOGISTICS 

With the advent of the STS, NASA must change from a pure R&D activity to an 
operational activity. This means that new methods must be found to logistical i y support 
all activities of the Shuttle. Some logistic activities required for the Shuttle are: 

1. Passenger handling 

2. Cargo handling before launch and after landing 

3. Fuel storage and servicing 

4. Parts supply 

5. Payload advanced conditioning and checkout handling, and security. 
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As mentioned previously, passenger and payload handlers have to be trained well in 
advance to handle their tasks. This means a pipeline of payloads has to be established 
for normal and emergency operations. This can be likened to airline operations of normal, 
deferred and immediate cargo handling. Much preplanning will be required to smoothly 
operate the Shuttle. This means during Shuttle design, NASA has to constantly bear in 
mind logistic integration into Shuttle operations. Some of the studies currently in work 
for logistics technology are: Space cargo handling; Man-Machine integration/simulation 
of crew and cargo transfer and docking; Support systems for both conditioned and gravity- 
deconditioned passengers; payload handling, etc. 

MAINTENANCE AND CHECKOUT 

NASA maintenance and checkout activities presently are confined to R&D one-time 
usage procedures. New technology is required to reduce long checkout periods down to 
a matter of hours. Now the Shuttle designers must closely integrate rapid checkout fea- 
tures into the vehicle and GSE. Again the airline concept of autonomous operation has 
to be borne in mind. Present airline maintenance and checkout technology must be used 
as a basis for NASA to change thinking from one-time usage to repeated usage all at low 
cost. Refurbish and maintenance concepts for rocket vehicles are new. NASA will have 
to integrate new technology for non-destructive testing and possibly go into the "on- 
condition" maintenance concept that airlines have been using for several years. This 
means that NASA might not use the TBO concept, but instead, use the "leave-it-aione" 
principle. For reusable rocket engines this means an entirely different viewpoint with 
new design oriented toward building into the engines a refurbish and maintenance capa- 
bility. Figure 7 shows a space Shuttle main rocket engine schematic. New horoscope 
techniques, etc., will be needed for fast economical turnaround. Shuttle useful life of 
ten years will require the use of new operational technology developments to accomplish 
this goal . 

Some of the maintenance and checkout studies in work are: Structural integrity 
assessment techniques; Rapid loading of cryogenics and gases; Leak detection techniques 
Redundancy checkout techniques; Bearings and seals development; Non-destructive test- 
ing techniques for flight readiness verification; etc. 

OPERATIONS 

Launch operations of the Shuttle combines the use of facilities, safety, logistics, 
maintenance and lastly, checkout. Figure 8 shows the Shuttle vehicle at launch. The 
concept of on-board checkout is being pushed by NASA and is a prime design considera- 
tion to reduce time and costs. Checkout before and after erection, in a matter of hours, 
is a great technology challenge. To start with, during the flight test phase, checkout 
will understandably be slower but as experience and procedures are refined and by the 
completion of the ten vertical flight test launches, checkout should be fairly rapid. 
However, now is the time to integrate checkout technology into Shuttle design. 
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Flight operations will also have to be simplified in some areas and increased in 
others. With an autonomous operational requirement for the Shuttle, communication with 
the ground should not be any more stringent than an airliner. Probably in the early 
launches, temporary communication gear will be used but later removed as operations 
become more sophisticated and confidence in the system is obtained. This would be 
gear used locally during the flight test program. Hopefully, from a cost standpoint, 
there would be very little extra to remove. Mostly TM channels, etc. , would be removed 
and on-board autonomous equipment utilized to the fullest extent. Thus ground operations 
during flight would be reduced to a minimum. Unique operational technology developments 
are needed to keep operational costs low. A trade has to be made using existing versus 
new operational tracking equipment so that only costs chargeable to the Shuttle occur. 

Some of the many operations oriented technology studies in work are: Terminal 
approach and landing visibility envelopes; Auto pilot handling qualities; Flare and decrab, 
1NS/ILS smoothing; Operational studies; Test and flight engineering oriented man/ 
machine language; Three landing arresting systems testing programs with FB-111 and 
B-52 aircraft up to 300 M ft- 1 bs energy absorption. 

CONCLUDING REMARKS 

The Shuttle program does pose unusual unsolved opportunities for NASA as well as 
industry in aii areas, but the integration of operations, maintenance and safety technology 
into Shuttle design is where a great payoff will occur for the Space Shuttle program. 

Thus the concept of an economical fully reusable space transportation system can be 
achieved and could well alter the future of world space operations. 
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When I first was asked to give a presentation of about 25 minutes on the experience gained on the Apollo 
Program that was applicable to the Shuttle Program, I was completely stumped as to what to say, but once I started, 
I found that there was a mountain of data available and to say what needed to be said in 25 minutes would be most 
difficult. Anyway, one thing led to another and what I will present to you I hope you will find both interesting 
and worthwhile. 




SHUTTLE MISSION OBJECTIVES 
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Figure 1 



PROCEDURES STUDY PERFORMED 
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PROCEDURES QUESTIONNAIRE PREPARED AND CIRCULATED 
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TYPES OF PROCEDURES SURVEYED 
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COMPARISON OF AIRBORNE VS. GROUND PROCEDURES 
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TOTAL GROUND AIRBORNE BOTH 
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MORE DESIGN CONSIDERATIONS 
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POWER PLANT GROUP 






FREQUENCY OF TESTING NECESSARY ON REUSABLE EQUIPMENT 
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IF THE EQUIPMENT THAT IS BEIHG TESTED WAS REUSABLE, (i.e., SPACE SHUTTLE), WOULD THIS TEST BE REQUIRED EACH TIME THE EQUIPMENT IS USED 
FOR A LAUNCH? 
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AIRBORNE NOT REQ’D 2ND 3RD 4TH 5TH OTHER 

PROCEDURES EACH LAUNCH LAUNCH LAUNCH LAUNCH 

LAUNCH 



MAJOR TIME CONTRIBUTING FACTOR 
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WHAT IS THE MAJOR TIME CONTRIBUTING 
FACTOR IN THIS PROCEDURE? 
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NASA-CONTRACTOR ORGANIZATIONAL RELATIONSHIP 
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Figure 9 
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Figure 11 
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TEN MOST TROUBLESOME SPECIFIC HARDWARE 
PROBLEMS ON APOLLO PROGRAM 
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• GROUND/VEHICLE UMBIUCALS 



Extremely high failure rates have occurred on both airborne and ground valve position microswitches. 
The major reasons are associated with mechanical adjustments and lack of ability of retain settings due 
to the mechanical nature of the devices and extremely fine accuracies required. 
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adjustments to maintain or change settings. 



Cryogenic point level sensors do not adequately distinguish between wet and two phase conditions. They 
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confidence with minimum expenditures of manhours. 



TROUBLESOME APOLLO HARDWARE PROBLEMS CONTINUED 
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POLLO/SATURN PROCESSING SCHEDULE COMPARISON 
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Figure 13 
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COMMAND SERVICE MODULE 
TOTAL FAILURE REPORTS 
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LAUNCH VEHICLE AND STAGE FURNISHED GSE 
MODIFICATION MANHOURS 
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APOLLO VEHICLE 
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Figure 20 
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AIRLINE VIEWPOINT OF SPACE SHUTTLE 
MAINTENANCE CONCEPTS 

Nicholas Krull 

American Airlines 


INTRODUCTION 

My purpose today is to identify commercial airline maintenance concepts which offer 
the promise of minimizing Space Shuttle maintenance costs. Airlines are uniquely quali- 
fied to offer judgements in this field due to the perishable nature of our product: Namely, 
available ton miles. Airline management decisions continually involve an economic 
tradeoff between: The quality of service provided . . . such as safety, convenience, com- 
fort, and on-time departures; and the cost of maintaining the desired quality of service. 
The final test of operational profitability comes down to our ability to minimize and con- 
trol the maintenance costs required to sustain the desired level of service. 

It is therefore necessary for me to first review the latest and most significant ele- 
ments of "The Airline Maintenance Philosophy." I will put special emphasis on the 
unique management support systems in current use at American Airlines. I will then pro- 
ceed to illustrate where this philosophy can be applied to Space Shuttle maintenance 
requirements as they are currently envisioned. 1 will conclude with some judgements 
about major differences between an airline maintenance environment, and operational con- 
ditions unique to the Space Shuttle. 

AIRLINE MAINTENANCE COSTS 

Airline maintenance costs have increased to a disproportionately large percentage 
of "total" aircraft cost in recent years, in a 15-year aircraft life cycle, these costs 
amount to approximately three times the original aircraft purchase price. For some air- 
craft components and systems, this relation between maintenance cost and purchase price 
exceeds a 3:1 ratio by a wide margin. See Figure 1. 

A variety of airline management control indices are used to monitor and control the 
maintenance operation. The cost per available ton mile parameter provides a measure of 
cost in relation to the amount of payload available. The operating hour data indicates 
the cost level in relation to the mission activity level. The cost per maintenance visit 
reflects the cost per unit of maintenance base activity. These basic measures are used 
by most airlines and all three are required to perform the maintenance management func- 
tion. 


Budget control information is provided on a monthly basis and includes actual main- 
tenance cost compared to forecast maintenance cost. These are reviewed on a monthly 
basis and corrective action programs are initiated when cost overruns occur. See 
Figure 2. 
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Airline Maintenance Costs 


• 2'/t-3 TIMES COST OF PURCHASE PRICE OVER 
LIFE OF VEHICLE 

• MANAGEMENT CONTROL INDICES 

— COST PER AVAILABLE TON MILE 

— COST PER OPERATING HOUR 

— COST PER MAINTENANCE VISIT 

• BUDGET CONTROLS 

— MONTHLY COMPARISONS OF MAINTENANCE 
COSTS 


Figure 1 
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MAINTENANCE CONCEPTS 


Scheduled maintenance in the airline industry today consists of a composite of clean- 
ing services, inspection , functional test, adjustment, removal, replacement, and recon- 
ditioning work performed at rigidly controlled time intervals. As experience is acquired, 
or as conditions change, these elements of the scheduled maintenance program are 
revised upward or downward in terms of the original time intervals. Underlying this is an 
extensive system of data collection, communication, analysis, and planning. See Figure 3. 

Unscheduled maintenance consists of on-aircraft and off-aircraft troubleshooting, 
fault isolation, repair, and replacement of components resulting from the indicated defect 
or malfunction. 

Airline on-aircraft maintenance concepts revolve around a practical tradeoff between 
aircraft availability, elapsed time, and maintenance man-hour requirements. Airlines 
are very sensitive to aircraft downtime and the resultant high cost impact. Each hour of 
downtime for component replacement is worth $90 in interest, alone, on a four-engine 
jet. For the 747 jumbo jet it is approximately $ 175/hour. These economics require 
that we minimize aircraft out-of-service time for maintenance causes. 

The maintenance philosophy for determining where to perform the off-aircraft main- 
tenance, either on-site or off-site, is another economic tradeoff, with the parameter of 
spares cost added. 


CONCEPT DEVELOPMENT 

Airline maintenance programs were once based almost entirely on the time limit con- 
cept. See Figure 4. This scheduled maintenance concept required almost all component 
replacement and other maintenance action to be performed at fixed time intervals. This 
concept was based on the following beliefs: 

1. Wearout is a common defect and is a function of time. 

2. Inspections at fixed time intervals can detect failures. 

3. Overhauls at fixed time intervals can prevent failures. 

In the early days of air transportation, these concepts were realistic since the designs 
were relatively simple and equipment could be easily and quickly inspected. Such inspec- 
tions were also quite effective in detecting potential failure modes. For the same rea- 
sons, overhaul was relatively easy to accomplish. These early maintenance concepts 
led to rigidly defined inspection and overhaul periods, commonly known as time between 
overhaul or TBO intervals. 

Since 1948, air transport designs have become significantly more complex due to 
improvements and advances in safety, performance, efficiency, and comfortl This 
technological trend has created a need for the development of new and revised maintenance 
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Maintenance Concepts 


• SCHEDULED MAINTENANCE 

• UNSCHEDULED MAINTENANCE 

• ON-AIRCRAFT 

• OFF-AIRCRAFT-ON SITE 

• OFF-AIRCRAFT-OFF SITE 


Figure 3 
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concepts. See Figure 5. The airiines have shown that complex units do not follow 
the same failure pattern as simple parts. A great majority of components do not have 
an increasing failure rate with time in service. This characteristic has been confirmed 
through the experience of many airiines in recent years. This background, in turn, has 
led to the development and acceptance of many new Condition Monitored Maintenance 
(CMM) concepts and programs. The Federal Aviation Administration has also played 
an active role in the development and implementation of these new airline maintenance 
programs. Without their complete cooperation and approval the major changes in airline 
maintenance concepts which have taken place in the last five years would not have been 
possible. 


AMERICAN AIRLINES' RECONNAISSANCE 

This program is a system that integrates the efforts of Flight, Overhaul, Line Main- 
tenance, Engineering, Production Control, Inspection, and Supply in the detection, 
identification, and solution of technical problems. This is accomplished through a data 
collection and analysis system which assists a Problem Action Board in determining the 
necessary corrective action programs. 

CONDITION MONITORED MAINTENANCE 

This is American Airlines' maintenance program for turbine engines which combines 
management systems and computer techniques to determine the necessary corrective 
action to continue the engine in service. Some of the major benefits of this program are: 
Improved schedule reliability, improved maintenance practices, and concentration of 
engine inspections to the specific needs of the engine. 

FIELD MAINTENANCE RELIABILITY 

This is a computer system that is a part of our nation-wide reservation system for 
keeping track of the maintenance status and needs of each airplane in the fleet. Mainte- 
nance actions and requirements are available to any city where a particular aircraft stops. 
This is used to determine the next appropriate maintenance action. 

COMPONENT RELIABILITY ANALYSIS METHOD 

Figure 6 is the result of our analysis of component age-failure techniques using 
this system. It consists of a computer program utilizing actual techniques to analyze the 
failure rates as the components get older in their life cycle. The computer analysis is 
provided the engineer and he uses this as a tool to determine what adjustments in the 
maintenance program might be required. 

COMPARISON WITH 747 OPERATION 

Figure 7 depicts major similarities and differences which indicate that some of the 
Boeing 747 maintenance program concepts can be applied directly to Space Shuttle vehicle 
maintenance. 
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Figure 5 
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Shuttle Maintenance Concepts 
Comparison With 747 Operation 
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747 TYPE MTNC. PROGRAM FOR SHUTTLE 



PRIOR TO EARTH LANDING 


The accumulation and diagnosis of telemetered mission data will be required as a 
complement or substitute for many post-mission functional tests on the Space Shuttle 
vehicles. See Figure 8. 

1 . Due to inability and/or cost of simulating a space environment after earth 
landing. 

2. Because a 14-day maintenance turnaround interval does not permit time to 
conduct elaborate and extensive ground tests. 

This data will be used to establish the unscheduled maintenance bill of work to be 
accomplished after return of the mission vehicles to the maintenance base site. This 
characteristic of the Space Shuttle operation is analogous to the airline which employs a 
Condition Monitored Maintenance (CMM), or on-condition, maintenance philosophy to 
minimize out of service time due to maintenance. 

SAFING AND RETRIEVAL AFTER EARTH LANDING 

After the separate earth landings of the orbiter vehicle and the booster vehicle, a 
retrieval crew will be required to perform the safing operation, which includes the purg- 
ing of unused cryogenics such as liquid oxygen and liquid hydrogen. Following the 
safing operation, the retrieval crew will assist in the egress of the flight crew, remove 
the mission cargo (which may require precautions against radioactive contamination), 
and remove the on-board data recording devices. In the event the initial earth landing is 
made at the destination maintenance base site, the Space Shuttle vehicle will have to be 
towed to the maintenance facility for the start of turnaround maintenance action. See 
Figure 9 . 

Alternatively, the vehicles will have to be prepared for ferry flight return to the 
maintenance base site, if an off-site landing was initially required. As currently 
defined, this ferry flight preparation will include strapping on air breathing engines, 
fueling, general servicing, and the necessary air traffic control clearances. 

Here, again, we find Space Shuttle requirements which are analogous to the typical 
airline operation. Airline expertise in these areas can be an extremely valuable input to 
the operational planning for Space Shuttle vehicles. 

SCHEDULED MAINTENANCE, ETC. 

Tire desire will be to minimize scheduled maintenance requirements after vehicle 
return to the maintenance base site. Nevertheless the eventual maintenance program for 
the Space Shuttle vehicles will require some degree of scheduled maintenance in accor- 
dance with fixed times between repair and overhaul. See Figure 10. 


65 



Maintenance Flow 


• PRIOR TO EARTH LANDING 
— DATA TELEMETRY 
— FAULT DIAGNOSIS 
— MAINTENANCE PLANNING 


Figure 8 






Maintenance Row (cont’d) 


SAF1NG a RETRIEVAL AFTER EARTH LANDING 

— PURGING 

— POTENTIALLY RADIOACTIVE CARGO REMOVAL 

— OTHER FLUSHING 8 DECONTAMINATION 

— MOVE OR FERRY TO MAINTENANCE SITE 


Figure 9 
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Maintenance Flow (cont’d) 


• SCHEDULED MAINTENANCE 
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— SPARE COMPONENTS 
— SPARE MATERIAL 


Figure 10 
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A deferred maintenance program will need to be developed to identify non-criticat 
items that can be deferred or rescheduled to a subsequent turnaround check. These items 
could be controlled by what is known in the airlines as a Minimum Equipment List (MEL). 
MEL specifies allowable tolerances for deactivated components and systems, and the 
checks required to assure backup system integrity. 

Some of the criteria used by the airlines to choose between scheduled maintenance 
and on-condition maintenance are directly applicable to the Space Shuttle. Criteria 
similar to the ones used during development of the 747 maintenance program should be 
considered. Airline configuration control programs are also applicable to a comprehen- 
sive Space Shuttle maintenance program. 

Airline inventory and logistics concepts are applicable to the Shuttle Program. Com- 
puter models to determine spare component and material levels are adaptable and could 
contribute significantly to the optimization of inventory investment levels. 

UNSCHEDULED MAINTENANCE, ETC. 

Many of the Condition Monitored Maintenance concepts employed by major airlines 
can be applied directly to Space Shuttle vehicles, ft is highly desirable that most main- 
tenance activities be performed after it is determined that an "out-of-tolerance" condition 
exists. Preventive maintenance should be limited to those cases where unscheduled 
maintenance is required or reliability can be improved. 

Implementation of an on-condition maintenance concept requires the maximum use of 
all available data from the mission, post-flight inspections, and post-flight tests in order 
to establish the need for corrective maintenance action. The capacity to implement on- 
condition concepts is highly dependent on the application of such maintainability design 
concepts as: On-aircraft accessibility; the ease of fault isolation; the predictability of 
failure modes; and the ease of required remove and replace tasks. See Figure 11. 

The airlines are uniquely experienced in these maintenance disciplines. There is 
a constant pressure on airlines to minimize out-of-service time for maintenance, to 
assure on-time departures and to minimize total operating costs, all at the same time. 
Again, airline experience with these operational constraints is directly applicable to the 
constraints of a Space Shuttle operation. 

QUALITY ASSURANCE, ETC. 

The quality assurance approach to Space Shuttle vehicle maintenance is a key ele- 
ment in realization of the 14-day turnaround goal. The following comments relate to 
maintenance base inspection requirements during turnaround only: 

A variety of test and inspection techniques need to be utilized to optimize cost 
effectiveness, such as nondestructive, self test and automatic test techniques, ft is 
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Maintenance Flow 



• UNSCHEDULED MNTC. 
— SOURCES^ 

- Telemetered data 

- Crew debrief 

- Onboard recording 

- Post flight checkout 

- Inspection 8 test 

— IMPORTANCE OF: 

- Accessibility 

- Fault isolation 

- Predictability 


envisioned that diagnostic analyses will need to be performed by computer during the 
checkout cycle to isolate the cause of malfunction and to determine the repair/repiacement 
necessary to return such hardware to an acceptable condition. Verification and accept- 
ance criteria should be studied from an airline operations standpoint to determine their 
application to Space Shuttle vehicles. Airline traceability and documentation methods 
should also be studied as a means of achieving the 14-day turnaround goal. See Figure 12. 

The following airline maintenance support concepts appear to be directly applicable 
to the Space Shuttle at this time: 

1. The airlines use a number of computer programs to analyze and diagnose the 
condition of the aircraft and determine maintenance requirements. Some of 
these are: Computerized Engine Monitor Log, Eppi oil analysis, oil consump- 
tion data, Airborne Integrated Data System. 

2. Inventory models are used to optimize spare allocations and minimize inventory 
levels. They also assist in the repair versus throw-away decisions. 

3. The techniques used to develop ground support equipment and tooling require- 
ments and procedures for airline turnaround maintenance appear to have appli- 
cation to the Space Shuttle. 

4. Certain airline concepts of personnel selection and training can be applied, 
including skills, aptitudes and certification requirements unique to Space 
Shuttle technology. 


CONCLUSIONS 

From the foregoing discussion of airline maintenance concepts and their applica- 
bility to the Space Shuttle Program, we can conclude that many of these concepts can 
be directly applied. We must, however, at the same time recognize limitations to the 
direct application of these concepts. 

In its early operation the Space Shuttle will not have the benefit of more than 
1,300 takeoffs and landings each day to develop empirical experience. The mainte- 
nance program will have to depend much more heavily on information developed by the 
designer. 

The vehicles will indeed have redundancy in their systems but not to the extent of 
a modern airline passenger aircraft. The maintenance program must recognize this lower 
degree of redundancy. 

Perhaps the greatest limitation will be the psychological and to some degree, very 
real concern over the consequences of a single failure. Commercial aircraft have an 
exceptionally high tolerance to failure and although not common, have the capability to 
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Figure 12 
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make unscheduled landings at alternate airports. There will be a far greater concern for 
the consequences of a failure on the Space Shuttle and this, to a large degree, will be 
directly related to the environment or mission envelope within which it operates. Recog- 
nizing these limitations and building them into the maintenance planning, we can readily 
see that Condition Monitored Maintenance can be applied to the Space Shuttle. We 
believe that it will be necessary in order to achieve the projected 14-day turnaround 
and the desired low cost operation of these vehicles. In addition to the maintenance 
concept many of the management systems can be modified to recognize and control 
operating costs while at the same time improving the dependability for assuring on time 
departures. See Figure 13. I cannot stress too highly that not only the similarities 
but the differences must be recognized and built into the maintenance plan at the time 
of design if we are to expect the desired maintainability in the operation of the Space 
Shuttle Program. 
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Figure 13 


74 






ONBOARD VERSUS GROUND CHECKOUT 
OF FLUID MECHANICAL SYSTEMS 


Louis A, Mavros 
James E. Harward 
Richard H. Prickett 


McDonnell Douglas Astronautics Company - East 


ABSTRACT 


The low cost and quick turnaround requirements of the Space Shuttle Program 
suggest an investigation of the economics of automated checkout systems. This paper 
discusses the trade-off of autonomous onboard checkout versus ground checkout of the 
Space Shuttle Systems. Evaluation is made of the feasibility of automatic servicing, 
checkout, trend analysis, and fault isolation of fluid mechanical systems. Computer 
controlled checkout techniques including Shuttle to GSE electrical interfaces are 
examined. New concepts of testing are discussed and compared to previous methods 
of automated checkout, the ultimate objective being an optimum Space Shuttle checkout 
philosophy. 
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INTRODUCTION 

The one objective of the Space Shuttle program having the most dramatic 
impact on the ground checkout philosophy is quick turnaround. The basic 
turnaround time frame is from landing through deservicing, ground maintenance 
and checkout, propellant and cargo loading, and finally to liftoff. The 
total lapsed ground time: 14 days. 

For quick turnaround, an automated checkout method must be utilized 
in ground checkout of the complex onboard systems. This method must be more 
than the typical go/no-go type of analysis. It must automatically determine 
vehicle system health, trend analysis, and fault isolation down to the Line 
Replaceable Unit (LRU). A determination of whether the automated checkout 
system should be onboard the vehicle or on the ground must be made. 

The degree of autonomy for any space vehicle is a function of its 
capability for self -test. Automatic test capabilities must be incorporated 
into the vehicle system at the onset. The basic design of each component 
and subsystem should lend itself to onboard test, fault isolation, and trend 
analysis. If a system is designed for its operational requirements only, 
with test capabilities implemented as an after thought, the design becomes 
complex, overweight, troublesome, and in many instances unreliable. Ground 
checkout can be divided into the various areas of mechanical, electrical, 
and fluid mechanical. We will examine some of the work accomplished to date 
in automatic ground checkout, and then address the little known area of 
automatic fluid mechanical checkout, as applicable to Space Shuttle and other 
space vehicles of the next generation. 
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AUTOMATIC CHECKOUT TECHNIQUES 

A brief look at past vehicle checkout systems and at a system proposed 
for Shuttle is required to define the checkout configuration that will be 
available for use on fluid mechanical systems of the future. 

At Kennedy Spacecraft Center, an automated checkout system is used for 
high bay prelaunch and pad testing of the Saturn V launch vehicle. 1 In the 
last 20 hours of countdown, the checkout system provides an automated 
capability for $ 5 % of the required functions, 

A computer and associated equipment required to service and checkout 
the Saturn V are located in the Mobile Launcher. A similar computer plus 
test consoles are used in the Launch Control Center (LCC) to monitor and 
control the Saturn V operations. The computers communicate via a data link. 

Data from the Saturn V Launch Vehicle and the support equipment is 
gathered by the checkout system through telemetry and hardwire interfaces. 

The checkout system monitors the status of over 5000 discrete events. 

Another example of an existing automated checkout system is the factory 
and static test facility used to completely test the Saturn. IVB stage during 
factory test and to control and monitor the static firing program at the 
Sacremento test facility. 

The SIVB checkout system contains about 30 units of equipment including 
a computer with its peripheral hardware, a computer interface unit, and 
operator test stations. The system provides automatic event sequencing, 
monitors 1520 bilevel and 127 analog signals, and also uses the computer to 
interpret test results. The checkout system interfaces with the SIVB via 
many hardwires as well as a telemetry system. 

A third computerized system is Acceptance Checkout Equipment (ACE) 1 used 
to checkout the Apollo spacecraft. The Command Service Module of the Apollo 
is checked out by an ACE station containing 25 high and 27 low consoles, 1416 
event lights, 216 meters, 160 channels of analog recording, 516 channels of 
event recording, and 19 cathode ray tube displays, A similar ACE station is 
used for Lunar Module testing. 

The ACE system interfaces with the Apollo through carry on support 
equipment during prelaunch testing. Each ACE station connects to a computer 
complex which controls the flow of commands and data. 

The lack of onboard checkout capability on Apollo resulted in the costly 
ACE complex which requires a large number of operators. A more sophisticated 
onboard system for Shuttle should make a large complex like AGE unnecessary. 
It may be, though, that a portion of ACE could be used by modifying it to 
interface with the Shuttle onboard system. 

The present McDonnell Douglas Astronautics Company (MDAC) 
concept of Shuttle onboard checkout utilizes a digital computer and data bus. 
The onboard central computer complex (CCC) communicates to the subsystem 
LRU through a digital interface unit (DIU) which is connected to the CCC via 
the digital data bus. Two pairs of wires comprise the data bus, one for 
data and the other for a synchronizing signal. 

The DIU recognizes a message directed to it from the CCC and converts 
the digital format into a signal type that the LRU can accept. The LRU 
response is then changed into the digital format by the DIU before being 
sent back to the CCC. Checkout data is integrated with operational traffic 
flow on the data bus which connects the CCC to many DIU’s. 
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A DIU may be either area oriented and serve several LRU's or dedicated 
to a particular LRU, In the latter case, the DIU may be built into the LRU 
or attached to it. During checkout sequences, the DIU has the capability of 
multiplexing signals to and from a number of elements within each LRU. 

The axact composition of the onboard checkout system for Shuttle has 
not yet been determined. Therefore, the complexity and capability of the 
CCC and the DIU's are not finalized. However, checkout techniques under 
study can be discussed and compared. 

One onboard checkout method being considered is centralized checkout. 

With centralized checkout, the CCC analyzes the raw data from the DIU's to 
detect problems or trends. This can include voting the operational outputs 
of several redundant LRU'S or LRU strings, reasonableness tests, and monitoring 
selected LRU parameters. Using a management by exception technique, the CCC 
then informs the crew of a problem or potential problem. 

Instead of centralized checkout, a DIU may contain a microprocessor that 
can perform the checkout analysis. The DIU, after receiving a checkout command 
from the CCC, initiates a sequence to check the LRU(s). After receiving the 
checkout data the DIU analyzes the data and reports the status to the CCC. 

Built in test (BIT) is another method of onboard checkout. The test 
circuitry is within the LRU (and possibly is a part of a DIU incorporated 
within an LRU) . The BIT is stimulated by an external command or by out of 
tolerance LRU parameters. A method of BIT implementation is to provide two 
operational channels which are compared within the LRU. Unlike channel outputs 
cause a no-go signal to be sent. 

Centralized checkout can allow the use of less complex DIU's, and off 
the shelf LRU's without BIT. System level tests are possible; the output from 
a string of LRU's can be analyzed by the CCC and is a good indication of proper 
operation . 

BIT, on the other hand, enables problem isolation directly to the LRU. 
Checkout by BIT or a DIU microprocessor also requires less CCC capability and 
less complex software, IRU bench tests are simpler with BIT since BIT circuits 
perform part of the required testing. 

Ground checkout using ground support equipment (GSE) is also possible with 
the data bus concept* Utilizing a ground interface with the data bus, the GSE 
can perform checkout similar to that of the CCC described above. 

Even if GSE is used for ground test, there still must be enough inflight 
onboard checkout capability to determine a failure so that a redundant element 
can be switched into operation. Using centralized checkout, the redundancy 
switching level may be a string of LRU's which could necessitate eixtra ground 
tests to isolate a problem to one LRU. 

The more comprehensive testing that may be required on the ground could 
be controlled by a ground processor that does not have the size and weight 
limitations of the CCC. Such detailed testing could be required during the 
maintenance cycle and in prelaunch hangar subsystem testing. 

At the launch pad, there exists a need for ground executive control of 
the Shuttle even with an onboard checkout system. When no one is onboard during 
propellant loading and in case of an abort, certain onboard functions (and also 
ones on the ground) must be controlled. 

A new GSE concept that may be applicable to Shuttle is that of Universal 
Test Equipment (UTE), The UTE would drive a ground data bus to control servicing 
and support equipment as well as interface with the onboard data bus. A minimum 
number of operators would be required because the UTE would display status rather 
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than all data available, be automated, and have self-test capability. Included 
in the UTE would be color graphic CRT's, a processor, and a keyboard for 
operator entry using a high level test language. A feature of UTE is that it 
could be used on any equipment that can interface to a DIU, and could be used 
for LRU and subsystem testing as well as for system checkout. For LRU testing, 
special test equipment may also be required to provide stimuli and monitoring. 

Checkout, whether it be onboard or ground, results in the accumulation of 
data. In real time, the data is used by the checkout system to detect and 
isolate problems and to detect trends. An important ground function is to process 
stored data to provide trend analysis, especially for mechanical systems, and to 
keep a historical record of the LRU's. The history can be for each LRU as well 
as for each equipment type. 

The handling of data will continue to be a large task. To reduce manual 
effort, it may be worthwhile to provide a computerized data bank for data 
reduction, compression, and storage. The data bank could be linked to UTE at 
the launch site area, the Shuttle factory areas, and possibly at certain vendors. 

In addition to its data reduction role, the data bank could also be used 
to generate onboard and ground checkout programs by utilizing proper compiler 
software . 

Avionic systems generally lend themselves to the checkout philosophy under 
discussion. However, fluid mechanical systems have traditionally been designed 
without interfacing capability with an electrical checkout system. For such a 
checkout method to be fully effective, new ideas for electrical stimuli and 
monitoring must be introduced into the design of valves, regulators, leak detection 
devices, etc, 

FEASIBILITY OF AUTOMATIC FLUID MECHANICAL CHECKOUT AND SERVICING 

Fluid mechanical systems have been one of the larger deterrents in achieving 
a complete autonomous onboard checkout system for space vehicles, particularly in 
the realm of self-test and fault isolation. The Space Shuttle autonomous onboard 
checkout and quick turnaround requirements challenge the fluid component industry 
to take a hard look at the current "state-of-the-art" and what must be accomplished 
in order to meet these new requirements. 

Onboard monitoring of fluid systems during flight and automatic cryogenic 
servicing is within the present capability of most contractors. However, self- 
test and fault isolation to the LRU level is a problem area for fluid mechanical 
systems. The use of ground carts to supply stimuli for onboard tests is time 
consuming due to hookup time, verification of connections, and possible contamination 
of the onboard fluid systems. Additional test points must be incorporated into 
the system, so that complete LRU test and fault isolation can be made. The use of 
onboard stimuli for fluid systems appears impractical, but this, may be because we 
think of testing fluid systems with fluids. Let us envision the self-test of 
fluid systems through other means such as electrical correlation of mechanical 
movements, valve signature traces, ultrasonics, and thin film technology, 

Thomas Crapper, the inventor of the valveless water waste preventer, advanced 
the state-of-the-art in his field. His ingenious solution, which can still be 
observed beneath the lid of most toilet tanks, depends upon a float, a metal arm, 
and a siphonic action to empty the reservoir. The degree of improvement over his 
original concept has been minimal. Recently, however, through the interest in 
ecology and the concern for conservation of water, a new concept utilizing a vacuum 
has been designed. Thus, an environmental concern stimulated new technology. 


79 



Now the need exists to advance the state-of-the-art of fluid components which 
will lend themselves to autonomous onboard checkout. Whose responsibility is 
this new requirement? The fluid component manufacturer, the major contractor, 
or the Government? It is the responsibility of all of us and in order to 
achieve the level which we are Seeking we must pool our resources. 

Automatic test capabilities must be designed into the vehicle system as 
a prime objective. The vehicle engineer can no longer design his system only 
for operational capabilities. The determination of the desired degree of 
autonomy, whether the vehicle design engineer realizes it or not, falls heavily 
in his lap. At the onset of a program, the vehicle system designer and ground 
support and test personnel must determine the degree of autonomy the project 
will achieve. Designers who achieved a level of success on past space programs 
must revamp their mode of thinking to design their components to accomplish 
the objectives of automatic checkout. Many vehicle system can be designed so 
that sensors, isolation valves, limit switches, flow devices, and transducers 
become an integral part of the LRU. Investigations must be made to determine 
the feasibility of testing fluid systems without the application of fluid 
stimuli from an external source. 

The fluid industry shall remain behind in advancing the state-of-the-art 
only so long as the vehicle designers permit. In early space programs the 
design contractor's prime responsibility was limited to design of a lightweight, 
highly reliable operational system. The Space Shuttle program is the beginning 
of a whole new era which will emphasize reusable vehicles, self -test capabilities, 
fault isolation, and trend analysis. The airline industry years ago realized 
that in order to cut costs and reduce down time, spares, and ground test equip- 
ment, it had to implement a new concept of onboard testing as a matter of 
economic survival. The airlines have advanced the state of automatic checkout 
for their avionic systems and have improved the capability of monitoring 
nonelectronic systems. Fluid system designers, fluid component manufacturers, 
and their customer must now bring the level of self-test and fault isolation of 
fluid mechanical systems up to the level of the onboard avionic systems. 

The Space Shuttle program must develop real time status monitoring techniques, 
automatic checkout capabilities, and fault isolation far advanced to that employed 
for any previous space program. No matter how advanced the computerized checkout 
system becomes, the subsystem cannot perform a real time status monitoring for 
automatic checkout unless the LRU can communicate its health status. During the 
design of fluid systems , svery consideration of automatic test should be reviewed 
and implemented if desirable (See Figure I), 

New methods of automatic testing and new concepts in fluid component and 
system design must be implemented. New concepts of testing fluid components 
using thin film transducers, secondary effects, leak detection, application of 
valve signature traces as a diagnostic tool, and electrical correlation of 
mechanical movement will be discussed. The purpose of this paper is not to 
resolve the problems of mechanical and fluid systems, but to discuss new test 
methods which may be thought provoking. 
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FIGURE I 

ONBOARD/GROUND CHECKOUT SYSTEM 












COMPONENT LRU DESIGN 


The electronic ’'black box” concept which includes all the wonders of 
built in test and self-assessment should be applied to the fluid mechanical 
systems. During the design of fluid LRU’s and subsystems, every consideration 
of automatic test, should be implemented. Each LRU should be designed as a 
self-contained assembly which includes all flow, pressure, temperature, leakage 
sensors and test points. Pressure and temperature transducers should be 
combined into one unit to minimize entry points into the LRU. 

The design of an LRU should be such that any part subject to failure may 
be replaced without removing the complete assembly. As an example, an LRU 
which contains a source regulator, relief valve, solenoid, or pneumatic actuated 
on/off valve should be designed such that the faulty seat or failed solenoid 
can be replaced without removing the LRU. This concept is somewhat of a "fix in 
place" method. If the LRU is designed so that seat and valve stem (which are the 
high fail rate items) are removable with the "fix in place" concept, spare parts 
cost, maintenance time of cutting, rewelding, X-rays, and possible contamination 
of the system would be tremendously reduced. For an assurance against leakage, 
fluid LRU’s could be welded or brazed into the system. The LRU’s could be 
designed to include the following considerations: 

(a) An ultrasonic device for flow and leak detection will provide 
flow data during flight and indicate flow and leakage for onboard 
testing, fault isolation, and trend analysis. These units are 
light in weight and do not require direct contact with the fluid 
media, thereby eliminating potential leak points. 

(b) Thin film transducers for pressure and temperature combined into 
a single unit are light in weight (approximately l ounce), 

are nigged, have better stability, and virtually no hysteresis. 

They can be welded in place, thereby eliminating potential leak 
points . 

(c) Valve signature traces of solenoids will provide trend analysis, 
solenoid operation characteristics, and add no additional weight 
to the LRU, 

UTILIZATION OF SECONDARY EFFECTS FOR THE CHECKOUT OF NONELECT RON IC. SYSTEMS 

New techniques to permit a reduction in testing time, technical skills, 
and subsequent cost may be derived by utilizing secondary effects which accompany 
the operation of nonelectronic subsystems. 

Secondary effects are those phenomena which result from the operation of a 
system or subsystem but are incidental to the primary purpose or mission. Thi3 
particular category appears promising because it will disclose incipient or 
actual failures not otherwise possible with the more conventional primary stimuli 
and response checkout techniques. 

The utilization of secondary side effects to determine system health is 
often employed by technicians. Overheated components detected as an odor or 
discoloration, and noticeable sound level changes caused by failing bearings 
are detectable side effects, A study by Illinois Institute of Technology^ gave 
primary emphasis to secondary effects not requiring the physical dismantling 
of a system under test and not currently employed in existing checkout operation. 
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The techniques investigated include the use of acoustical, electromagnetic, 
chemical, and fine particle side effects. With all of these techniques, 
emphasis was placed on the use of natural spectrum signatures to determine 
the status of the system under test. In the areas of electromagnetic and 
chemical side effects, techniques that require the use of very simple built- 
in "seeds' 1 for remote failure indicators were investigated to reduce dependence 
of natural spectrum signatures, 

A review of current and past utilizations of secondary effects in the 
maintenance, repair, reliability, and quality assurance areas indicated that 
these effects are of great value in ascertaining the status of equipment. 

For the most part, however, these effects have not been methodically employed 
for the checkout purposes. It also appears that the utilization of secondary 
effects is of particular importance for the nonelectronic systems where built- 
in w r ire type communication paths do not exist. A wide variety of useful 
secondary effects exist, many of which can be utilized without extensive 
dismantling of the equipment. Probably one of the most important advantages 
of secondary effects utilization is the detection of precursors of malfunctions 
not otherwise possible. In the case of automatic checkout, the sensing of 
secondary effects can create an additional set of "pseudo test points" for a 
large variety of components which will be impractical to implement in the 
conventional checkout system. 

VALVE SIGNATURE TRACES 

Valve signature traces can demonstrate the health status of an electrically 
operated solenoid. Signature traces are established diagnostic tools for the 
determination of the existing and future performance of electrically operated 
fluid valves. Valves usually degrade relatively slowly to a point of malfunction, 
progressive galling, slow response, etc. The valve signature trace will provide 
Information for a computer to determine the valve's health status. The 
information received from the signature traces can determine: 

(a) Electrical continuity 

(b) Valve opening and closing characteristics 

(c) Stuck or nonoperating valves 

(d) Sluggish valves 

(e) Valve simultaneity 

(f) Future performance predictions 

A perfected analytical technique through the use of signature traces would 
conserve countless hours of manual test time. 

During valve signature sampling, a high sample rate is required because 
of the short current rise duration; this duration is dependent upon the size of 
and mechanical forces on the solenoid being tested. 

When solenoid field strength is sufficient to overcome the poppet frictional 
forces, the poppet movement produces a counter electromotive force (EMF) which 
creates a negative slope ("glitch") in the current trace. This "glitch" is a 
detectable indication of the solenoid health status. 

The MDAC-East -- Aerospace Ground Equipment Engineering Department performed 
the following tests to indicate the feasibility of Valve Signature Traces. 

Figure II is a current trace of a normally operating solenoid valve; the 
negative trace or "glitch" Indicates the poppet movement. 

Figure III is a current trace of a failed or stuck valve. Note the smooth 
curve (absence of "glitch"). 
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Figure IV is a current trace of the same solenoid with added forces 
applied to the poppet , Note the additional amount of power and time that 
are required to move the . poppet „ This is one indication of a failing valve. 

A conclusion from these tests is that the current traces are feasible 
and provide intelligent data but must be traced during the complete operation 
time span to be usable. The Space Shuttle orbiter and booster have approximately 
400 electrically operated solenoid valves. Valve signature traces during the 
turnaround period with the utilization of a ground computer would give valuable 
information, and would -take a matter of minutes to cycle all the Space Shuttle's 
electrically operated valves. Information received would be recorded in a data 
bank and compared as required. 

LEAK DETECTION 

Leak detection is a problem for all areas pf space vehicle construction 
and test. Leak detection methods are determined by the type and size of the 
vehicle under test, the allowable leak rate,, and the time available to test. 

Very minute allowable leak rates are associated with long space mission require- 
ments and the hazardous propulsion fluids utilized. To meet the Space Shuttle 
turnaround requirements, new methods of assuring vehicle integrity through leak 
testing must be derived. 

Normal leak test methods include pressure decay, bubbles, and mass spectro- 
meter, However, new techniques uniquely suitable to Shuttle must be investigated. 

SONIC AND. ULTRA SO NIC TECHNIQUES 

Acoustic techniques can be widely used for diagnostic purposes. Some 
sounds are very distinct and, intense while others are very subtle. The high 
pitched sonic hiss caused by escaping compressed gas is quite unmistakable, 
while small leaks have been detected by measuring ultrasonic sound. Sonic/ 
ultrasonic leak detectors can be made fairly sensitive and rugged without 
requiring skillful interpretation, and remote indication is feasible for many 
instances where ambient high frequency levels are not excessive. 

Acoustic techniques utilizing ultrasonic flow meters have been used to 
measure flow velocity through pipes without touching the fluid. The propagation 
of sound is influenced by the motion of the media in which it travels. This 
effect can be monitored by simple vector addition of sound propagation velocity 
and flow ‘velocity. Ultrasonic flow meters have rapid response and freedom from 
damage from cryogenic fluids. Erratic or nonfunctioning valves, intermittent 
pumps, and motor performance are all detectable with flow variation monitoring. 

The mechanical deterioration of components due to excessive wear, excessive 
vibration, etc,, has been proven to be detectable. It appears feasible that 
acoustic techniques can be utilized in many areas of fluid mechanical systems 
to monitor health and perform trend analysis. 

ULTRASONIC LEAK DETECTION 

3 

Ultrasonic leak detection techniques hold much promise for use on the 
booster and orbiter flight vehicles since these techniques will' work equally 
well in the hard vacuum of outer space or for ground operations. 
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Access to the orbiter and booster fluid lines during turnaround will be 
limited so an automatic checkout method must be developed. Suitable design 
and development work is required to adapt these techniques to Space Shuttle 
usage. Fixed sensors attached to the orbiter and booster fluid systems will 
enable leak detection and leak location. Fluid escaping through an orifice 
will generate sound waves that can be detected by the sensors, and the resultant 
output could be fed into the onboard or ground computer. 

With the ultrasonic technique, leak detection can be accomplished during 
the vehicle maintenance cycle and during countdown prior to the next flight. 

Fixed sensors located on each side of flanges on relief valves and near critical 
components will also aid in satisfying the automatic checkout and fault isolation 
requirements, A sensor near a relief valve will indicate if the valve reseated 
in a leak tight condition after a functional test. Sensors will also verify 
valve seat condition without dismantling the system. Monitoring of flow and 
comparison with anticipated values yield information on satisfactory functioning 
of equipment. 


NEW CONCEPTS IN LEAK DETECTION 


A new concept of leak detection being investigated at MDAC-East considers 
the Space Shuttle's onboard leak detection method requirements of low weight 
and short test time. It utilizes a thermistor placed in the item under test. 

A change in temperature due to outside test vehicle environment and/or temperature 
change due to pneumatic expansion is proportional to the pressure increase 
within the test vehicle. The thermistor's resistance decreases in proportion to 
a temperature increase, A pressure sensor inserted within the vehicle tank 
transmits the summation of the pressure change due to temperature effect and 
pressure loss due to leakage. The resistance change from the thermistor and the 
summation of the pressure sensor is fed into a matrix bridge network where the 
variance in temperature will be added or subtracted from the pressure sensor 
output to indicate the quantitative gross leakage. (See Figure V) 

The major advantages of this leak detection method are: electrical leak 

detection of pneumatic systems; temperature compensation; elimination of time 
expended for temperature stabilization; and leak detections performed in a 
maintenance area, 

THIN FILM TRANSDUCERS 

Unavailability of light reliable pressure sensors with good stability and 
low hysteresis has in the past limited use of onboard instrumentation. To 
verify system performance during test, transducers were often added, thus 
inducing a potential leak point and increasing system weight. Frequently just 
a pressure port was provided to interface with a transducer connected during 
ground testing and removed prior to flight. 

A new development in the transducer field is the thin film transducer. 

In thin film transducers, ceramic films are vacuum deposited on pressure diaphragms, 
accelerometers, load cells, or beam-type pressure sensors. The strain gauge 
elements which form the transducer bridge are then deposited on the ceramic 
insulator. With the attachment of lead wires, the thin film sensors are ready to 
be packaged. At this point, sensors can be placed directly in the component or 
LRU, minimizing weight and potential leak points. Thin film transducers excel 
over conventional type transducers in stability, hysteresis, and linearity. This 
type of transducer will allow system designers to build in lightweight pressure 
monitor and test capabilities as an integral part of the system without degrading 
operational capability. 
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AUTOMATIC CHECKOUT OF , MECHANICAL COMPONEOTS THROUGH ELECTRICAL CORRELA TION 

If complete autonomy with built-in vehicle stimuli is to become a reality, 
we might examine whether functional testing of fluid systems really requires 
an external pressure source. For example, is there a meaningful correlation 
between electrical input (stimuli) and a mechanical movement (output)? An 
electrical stimuli might be applied to the static fluid component under test 
and compared to the mechanical response. Through a series of tests, fluid 
system component characteristics may be established and subsequently correlated 
to the electrical stimuli allowing the observed fluid system response to be 
utilized for self-assessment and fault isolation. A planned test by MDAC-East 
involves incorporation of a solenoid on a relief valve to determine if the 
stimuli applied to the solenoid has a direct correlation to the force required 
to displace the relief valve spring poppet. The weight increase to the relief 
valve by the incorporation of a solenoid is at this time an unknown quantity, 
but if we do not venture into various experimental programs, we will never 
find methods of decreasing overall operational costs. 

OTHER CONSIDERATIONS 

In addition to the purely technical considerations of a spacecraft checkout 
philosophy, funding considerations and schedule milestones are interrelated as 
major controlling factors. For some requirements, such as an autonomous checkout 
capability while in space, no compromise is permissible. However, the cost 
penalties imposed by onboard checkout equipment must be determined and compared 
with the operational costs of a ground checkout approach. Development times 
may not be adequate to resolve the attendant problems associated with new test 
equipment or test methods, so that the more feasible approach might be to go 
with a less sophisticated checkout system and update flight and ground checkout 
equipment in a later version of the flight system. Studies should be of sufficient 
detail to identify advantages and disadvantages in specific meaningful terms 
such as "payload sacrifice per pound of onboard checkout equipment," "hours of 
ground turnaround time utilizing onboard checkout equipment," and "hours of 
ground turnaround time utilizing ground checkout equipment." These terms can all 
be related to dollars, 

OPTIMUM SPACE SHU T TLE F LUID MEC H ANICAL GROUND CHECKOUT PHILOS OPHY 

What is the optimum Space Shuttle fluid mechanical ground checkout 
philosophy? Somewhere in between the extremes of onboard/automatic and ground/ 
manual checkout must lie the practical answer: how much testing should be done? 

Past test philosophy has been one of test, test, retest, and test again. 

Highly reliable components have been designed for the various space programs 
and for the commercial airline industry. Let us use these components, restructure 
our thinking, and restrict our level of checkout to minimum essential levels as a 
start toward the optimum philosophy. 

Secondly, we must continue to develop and use the computerized checkout 
techniques. The use of the computer has had dramatic impact on the Saturn/ 

Apollo program. "The Saturn Ground Computer Checkout System checks valves, 
transistors, microelectronics, miles and miles of wiring, transducers, and all 
of the movable and nonmovable parts and circuitry in a real situation with 
each part operating in conjunction with all of the other eight million parts. 
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Four man-years of computational work are done in the relatively few hours of 
countdown before launch."^ Thirdly, we must utilize new checkout techniques. 

The Space Shuttle fluid mechanical systems require a high degree of onboard 
real time checkout, fault isolation, and readiness assessment. Application 
of secondary effects, signature traces, sonic and ultrasonic techniques, and 
built-in thin film transducers will help in achieving this capability, while 
having a negligible effect on vehicle systems weight or system reliability. 

A key factor is that, from the beginning, subsystem cost, weight, test para- 
meters, automatic checkout, trend analysis, and operational capabilities must 
be part of the vehicle basic design concept. Evaluation groups consisting of 
flight test, operational, maintenance, GSE, and subsystem design personnel 
must take an active part in the design of the vehicle system if we are ever 
to reach our goal. 

Reports made as long as 6 years ago by government and private institutions 
reveal a tremendous amount of study on automatic checkout of nonelectronic 
systems. The reports referenced herein are samples of the methods that can be 
utilized. However, if the system designers do not, or will not, investigate 
or implement these advancements, usable technology of automating fluid mechanical 
systems for checkout will remain static. 

Our goal is a fully automated onboard checkout of fluid mechanical systems. 
Based on present levels of technology, cost limitations, and schedule consider- 
ations, we must approach this ideal goal in logical steps. The fluids industry 
must develop hardware capable of automatic checkout utilizing the previously 
mentioned techniques, and responsible contractors must continually strive for 
the fully automated fluid mechanical system. 
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LOGIC DEVICES FOR THE READINESS ASSESSMENT 
OF MECHANICAL COMPONENTS 

D. J. Hartung and C. R. Browning 
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Daytona Beach, Florida 


ABSTRACT 

This paper is directed toward definition of the logic device required for processing 
basic performance data originating at a mechanical line replaceable unit such as a 
pump, pneumatic regulator, valve, et al. Sensor data resulting from state-of-the- 
art instrumentation techniques were examined in detail to determine logic device physi- 
cal and functional configuration. Functional integration of this concept is consistent 
with advanced checkout philosophies. Three logic device implementation concepts were 
considered, and each was found to have application depending upon mechanical compo- 
nent density, complexity, and/or similarity. Guidelines for application of each con- 
cept are discussed. 

INTRODUCTION 

Space programs of the post-Apollo generation include requirements for re-usable ve- 
hicles with a fast turn-around. These requirements impact the existing philosophy 
pertaining to vehicle launch and in-flight readiness. Maintenance and checkout time 
will be at a premium, not only for flight hardware, but also for the non-flight, real- 
time ground support equipment. Existing mechanical devices which are essential to 
both airborne and ground equipment operations do not have the capability to communi- 
cate required status parameters. Thus, techniques far superior to those used for 
previous space programs must be developed and implemented for mechanical device 
readiness assessment. These program requirements dictate the need for automatic, 
self-contained readiness assessment of ground and flight hardware. 

While the capability for self-contained readiness assessment has existed and has been 
incorporated to varying degrees in electrical/electronic equipment for some time, 
little has been accomplished relative to mechanical components. Application of readi- 
ness assessment philosophy to mechanical components will provide operational status 
(go. no-go, caution) and maintenance information for critical Line Replaceable Units 
(LRU's). Selective instrumentation of the LRU's performance parameters, modified 
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by operational tolerances and coupled with a logic device, can provide this confidence 
data as well as "predict”, detect, and isolate faults. In addition to providing compo- 
nent status data, the logic device will receive, decode, and process commands neces- 
sary for LRU control and will operate as an integral part of an overall system contain- 
ing a number of varied, interrelated critical components. The specific functions to be 
accomplished by the logic device depend primarily upon the total system philosophy 
and complexity of those component parameters required for fault prediction. 

Information contained in this paper was derived from the General Electric Company 
study performed (during the period April 21 through November 13, 1970) for the 
John F. Kennedy Space Center, "Techniques for Automatic Self-Contained Readiness 
Assessment and Fault Isolation for Ground and On-Board Mechanical Systems". All 
backup details are documented in Phases I and III Progress Reports 70-831-892 and 
70-831-894, dated 20 July 1970 and 19 October 1970, respectively. 

The objective of that study was to provide direction for achieving the technology by 
which mechanical devices’ performance parameters or discriminants can automati- 
cally, and in real time, be determined and evaluated. The performance parameters 
include data required to check out and monitor these components as well as those 
needed to predict and isolate faults. Implementation of this technology will improve 
the capability for malfunction isolation and detection, permit maintenance on an "as 
required" basis rather than routinely, and reduce checkout time at a potentially lower 
cost with increased mission reliability . 

REPRESENTATIVE MECHANICAL DEVICES 

The approach of the General Electric Company study was to define those Saturn V me- 
chanical components in use on Launch Complex 39 on-board and ground systems and to 
assume that the configuration of mechanical devices used on near-future space pro- 
grams will have, for practical considerations, the same general functions and charac- 
teristics. Therefore, LC-39 mechanical device performance monitoring limitations 
must be resolved before mechanical readiness assessment of future space programs 
can be achieved. 

Initially, a survey of Launch Complex 39 identified 183 on-board and ground systems, 
42 of which were primarily mechanical. These systems were found to contain over 
20,000 mechanical components representing 43 generic families such as accumulators, 
actuators, valves, etc. 
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Utilizing selection criteria tabulated in Table 1, 36 mechanical devices were selected 
as representative of the total population. 


Table 1 

Representative Mechanical Device Selection Criteria 


Primary Considerations 

• Was mechanical device a Line Replaceable Unit? 

• Had similar LRU BEEN IDENTIFIED AS REPRESENTATIVE? 

• Did LRU HAVE A HIGH FAILURE RATE? 

• Did LRU represent a large population ? 

• w AS LRU VERY EXPENSIVE TO BUY OR REPAIR? 

• Was LRU time consuming to repair or verify status? 

Secondary Considerations 

• LRU OPERATIONAL priority. 

• Availability of LRU descriptive data. 

• Preventive maintenance requirements, 

• Flow medium and actuating input, 

• Repair and checkout time. 


The numerical distribution of the representative mechanical devices selected, by ge- 


neric family, was: 

t' 


y 

Generic Family 

Quantity 

Generic Family 

Quantity 

Accumulator 

2 

Fuse , Flo 

1 

Actuator 

4 

Heat Exchanger 

1 

Blower, Fan 

1 

Motor 

2 

Compressor 

1 

Pump 

2 

Controller 

1 

Regulator 

3 

Damper 

1 

Valve 

15 

Filter 

2 




These 36 mechanical devices were subjected to a detailed analysis to establish func- 
tional parameters necessary for readiness assessment and fault isolation. 


MECHANICAL DEVICE READINESS ASSESSMENT REQUIREMENTS 


To ascertain whether a mechanical device is in a go, no-go, or caution status requires, 
first, an identification of those functional parameters which must be monitored to 
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determine readiness assessment. The information necessary to define readiness as- 
sessment requirements either in a static or dynamic operational state was found to 
include : 

a. Part Identification — The mechanical device (LRU) or piece part of the LRU 
under consideration, e.g. , a valve or the poppet, ball, guide spring, etc. , 
of a valve . 

b. Failure Mode— Particular form or manifestation of the LRU's inability to per- 
form its expected action or function. 

c . Requirement Parameter— The most basic measurement which can be made to 
detect the failure mode under consideration. 

d. Parameter Limits — Prescribed boundaries which define go, no-go, and cau- 
tion limits. These limits are not necessarily absolute values, but can be 
relative to some other parametric value. 

A detailed analysis tabulating the above items was completed for each of the 36 repre- 
sentative mechanical devices which are representative of over 20,000 actual mechani- 
cal devices. 

Seventeen separate requirement parameters were identified for the 36 representative 
components. The numerical commonality of these parameters is depicted in Figure 1. 
It should be noted that a specific parameter may occur in more than one manner for a 
given component and may represent vastly different properties in particular applica- 
tions. For instance, the parameter of force may represent seal compression, torque, 
or actuator .output force. 

The representative mechanical devices examined possess typically from 4 to 10 of 
these parameters with 6 being the average number which must be evaluated to achieve 
total readiness assessment capability. 

LOGIC DEVICE APPLICATION 

The deployment of a logic device which will satisfy the overall functions of readiness 
assessment, monitoring, and controlling of critical components is dependent primarily 
on the overall system philosophy, component density, and similarities. Although there 
are many similarities between the three implementation concepts depicted in Figure 2, 
the logic device discussed herein is in reference to Concept 1 which utilizes a dedicated 
logic device for each critical component. The logic device described assumes that the 
included functions will be performed in close proximity to the mechanical component. 
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umber Of Representative Components Using This Parameter For Readiness Assessment, 
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Figure 1. Parameters versus Frequency of Utilization 



CONCEPT »2 - LOGIC DEVICE FOR EACH COMPONENT 

- LOGIC DEVICE FOR GROUPS OF COMPONENTS 


- LOGIC DEVICE FOR GROUPS OF COMPONENTS 




CONFIGURATION CONCEPTS 


Figure 2. Implementation Concepts 
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be established. Once this is done, test algorithms and limits can be selected with a 
good probability of success and can be then optimized experimentally. 

Logic Device Status (Self-Test) 

Each logic device will be capable of determining internal status and operational readi- 
ness by self-test. 

Bidirectional Communications 

The two-way communications function will be performed in a manner compatible with 
the existing data bus concept. The data bus concept is defined as a single cable which 
provides serial data transfer, in either direction, between any of the data bus parallel 
interfaces. The bidirectional communication function includes receiver, decoder, 
verification, transmission, control, and buffer subfunctions. The data bus could be 
redundant with appropriate encoding/decoding modifications to the bidirectional com- 
munication function. 

Stimuli Generation and Distribution 

Primary stimuli are the result of commands generated at an external source, received 
decoded and verified via the bidirectional communication and then transferred to the 
distributor in a form ready for execution. Secondary stimuli are commands generated 
internal to the logic device and are necessary for stimulating the mechanical compo- 
nent for determining readiness. Both primary and secondary stimuli can be discrete 
or analog. 

Measurement Acquisition and Data Processing 

Accomplishing component readiness assessment is entirely dependent on determining 
the component status indicators, selecting the proper sensors, and then selecting the 
processing necessarj' to isolate the discriminant. A logic device discriminant is de- 
fined as processed information, derived from data collected at the component, that 
can be correlated to the performance and operational condition of the component. 

Figure 4 represents discriminants based on three sensor categories, specialized ana- 
logs. analogs, and discretes. The selection of the discriminants and transducers 
which will provide component readiness assessment varies from component to compo- 
nent . The General Electric Company study indicated that a typical component would 
require six monitoring points: 1 specialized analog, 2 analogs, and 3 discretes. 
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DETECTION METHODS 


DISCRIMINANT 


SPECIALIZED 
ANALOG 
THAN SDUCER 


COMPLEX WAVEFORM 


AMPLITUDE 


DETECT RMS 


• RMS VOLTAGE LEVEL (KL) 

• VOLTAGE LEVEL WITH 
RESPECT TO COMMAND 


FREQUENCY 

CONCENTRATION 


REGULAR OR 

IRREGULAR 

TRANSIENTS 


DETECT LEVEL OF 
SELECTED FREQUENCIES 

- FILTERS 

DETECT OCCURRENCE OF 
TRANSIENTS WITHIN 
SELECTED LEVELS 

- PEAK DETECTION 


• SIGNAL LEVEL WITHIN 
SELECTED FREQUENCY BAND 


• PEAK LEVEL (PL) 

• PL/RL CREST-FACTOR 

• NUMBER OF PEAKS 


REGULAR 

TRANSIENTS 


DETECT TRANSIENT 
PATTERNS 

- AUTO COMPARISON 


• LEVEL OF SIGNAL 

CORRELATION FOR SELECTED 
DELAY 


- CROSS COMPARISON 


• LEVEL OF SIGNAL 

CORRELATION WITH MODEL 
SIGNAL 


- SUMMATION ANALYZER 


• SUMMED SIGNAL FOR 

SELECTED TIME INTERVALS 
FOR PEAK TO PEAK 
DETECTION 


ANALOG 

TRANSDUCER 


DETECT AMPLITUDE 


• VOLTAGE LEVEL 
« VOLTAGE CHANGE 

• VOLTAGE WITH RESPECT 
TO COMMAND 


DETECT VOLTAGE CHANGE 
WITH RESPECT TO TIME 


• VOLTAGE CHANGE RATE 

• SLOPE POLARITY 


DELTA 

FUNCTIONS 


DETECT DELTA BETWEEN 
IDENTICAL FUNCTIONS 


• DELTA FUNCTION 
APRESSURE, 

ATEMPERATURES, A FLOW, 
ETC. 


CORRELATION 

FUNCTIONS 


DETECT CORRELATION 
BETWEEN DIFFERENT 
FUNCTIONS 


. • FUNCTION CORRELATION 
PRESSURE VS. TORQUE 
POSITION VS. AP 
AP VS. AF, ETC. 


DISCRETE 

TRANSDUCER 


I SEQUENCE 


DETECT CHANGE 


DETECT SEQUENCE 


. • LEVEL CHANGE 

• CHANGE WITH RESPECT TO 
COMMAND 

• DISCRETE SEQUENCE 
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In many instances the same computation or preprocessing function could be performed 
with either analog or digital techniques. In these instances the logic device would 
utilize the technique or combination of techniques that best satisfy the design objective. 

a. Specialized Analogs— Specialized analogs are considered to be complex wave- 
forms such as an accelerometer output used in structure borne acoustics with 
a frequency content of 0 to 50 kHz. Capability of the logic device includes the 
detection of : 

• RMS signal levels. 

• Signal levels within selected frequency bands. 

• Irregular transients . 

• Transient patterns . 

b. Analogs — Analogs in this category are considered to be of low frequency (0 to 

1 kHz); such as those resulting from temperature, pressure, and flow sensors 
Frequently, information pertaining to the mechanical component status, par- 
ticularly fault prediction, can be determined by isolating those discriminants 
contained in low frequency analogs. Capability of the logic device includes 
the detection of : 

• Amplitude. 

• Slope . 

• Delta between identical functions. 

• Correlation between different functions. 

c. Discretes— Discretes in this category are considered to be event type such as 
those used for sensing discrete liquid level, valve closures, and other dis- 
crete sensors used primarily for component monitoring as opposed to readi- 
ness assessment. Capability of the logic device includes the detection of: 

• Discrete changes . 

• Discrete sequences. 

LOGIC DEVICE PHYSICAL CHARACTERISTICS AND COST 

The logic device is critical to the success of automatically determining component 
readiness. The logic device characteristics (size, weight, and power consumption) 
arc critical in determining the application or deployment of the device in a total system, 
Because of this criticality, a "preliminary" assessment was made relative to its char- 
acteristics and material cost based on existing technology and off-the-shelf piece parts. 
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Characteristics and cost of the logic device are based on the logic device functional 
requirements previously discussed and the assumptions and supporting rationale uti- 
lized to establish the characteristics which follow: 

a. Logic Device Processing Capability — The capability of the device was defined 
to satisfy the processing requirements for one relatively complex component, 
requiring those diagnostic routines necessary to identify the discriminants as 
depicted in Figure 4 . 

b. Dedication of Logic Device — For the purpose of this exercise, the logic device 
was considered to be dedicated to the component (i.e. , Concept 1). The logic 
device would be capable of processing: 

• 6 Transducer Inputs : 

■ 1 Specialized analog, 

■ 2 Low frequency analogs. 

■ 3 Discretes. 

0 4 Output Commands : 

a 2 Analog stimuli, 

s 2 Discrete stimuli. 

0 1 Serial Bidirectional Digital Data Bus Interface with : 

■ Multiple inputs (commands). 

■ Multiple outputs (status, performance data). 

c. Building Block Construction — The logic device would be developed from a 
family of functional modules which will take maximum advantage of the rapidly 
improving large-scale integration semiconductor technology. 

d. Modular Organization — The logic device would be organized in a modular ar- 
rangement employing a minimum number of unique building block modules. 

The functional modularity will provide overall logic device flexibility by per- 
mitting incremental configurations that would satisfy specific operational and 
component readiness assessment requirements. 

e . Memory Selection — Based on the functional requirements , a combination of 
Read-Only -Memory (ROM) and Random-Access-Memory (RAM) was selected. 
The selection criteria utilized was power consumption, size, cost, and speed 
although speed was not a major consideration. The selection resulted in 
2048 8-bit words of static metal-oxide semiconductor RAM and 2048 8-bit 
words of ROM. 

f. Stimuli Distribution— Stimuli , both analog and discrete, would be limited to 
100 milliamperes from the logic device. For those stimuli requiring addi- 
tional power . the logic device will provide a pilot control to a stimuli power 
source external to the logic device. 
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g . Storage — No off-line storage will be required by the logic device , Long-term 
trend analysis will be accomplished by a higher level computational device. 

h. Piece Part Selection — Only off-the-shelf piece parts were selected, and quan- 
tity purchase prices were used. 

i. Power— Regulated ±15 volts and +5 volts will be provided to the logic device. 

j. Analog Conversion— Analogs were converted to 8-bit binary coded decimal 
form. The 8-bit resolution or an output accuracy of ±0.4 percent was felt to 
be adequate for a majority of the applications. 

Table 3 depicts the summary results of this exercise broken down by functional ele- 
ments of the logic device. 

Table 3 

Logic Device Characteristics and Cost 


F UN CT ION 

Si ze 

(Cubic Inches) 

Weight 

(Pounds) 

Power 

(W ATT S ) 

Material Cost 

Est i mates 
(Dollars) 

Bidirectional. Communication 

16 

0.5 

1 

500.00 

Stimuli Generation and Dist. 

8 

0.3 

1 

200.00 

Process ing 

64 

4.0 

4 

2, 000.00 

Measurement Acquisition 

34 

2.4 

7.4 

1, 150.00 

Memory 

20 

1.0 

13 

t, 700.00 

Sel-f-T est 

8 

0.3 

1 

250.00 

P ACK AG l N G 

64 

1.0 

— 

500.00 

Total 

214 

9.5 

27.4 

6, 300.00 


CONCLUSIONS 

None of the representative mechanical components was determined to be completely 
adaptable to readiness assessment by use of existing evaluation techniques. The range 
of adaptability was from 29 percent to 89 percent with the average being 70 percent. 
Looking at the total group, an additional 25 percent can potentially be obtained by de- 
velopment and application of new techniques ; 4 percent can potentially be obtained by 
component redesign; and 1 percent can be obtained by performance of the function by 
alternative methods. Figure 5 displays the relative measure of achievement of readi- 
ness assessment bv each of these methods. 

-I* 
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Figure 5. Methods for Achieving Mechanical Readiness Assessment 


While in theory , all of the representative components have the potential of being com- 
pletely adaptable to automatic readiness assessment, this claim must be qualified. 
First, considerable development work must be done to advance techniques such as 
ultrasonic imaging, optical interferometry, and pattern recognition of images before 
they can be utilized in many of the applications. Second, to achieve problem detection 
and malfunction prediction in a meaningful manner, extensive testing of the various 
mechanical devices will be required in order to identify the significant discriminants. 

A quantitative evaluation or comparison of the discriminants must also be made; that 
is. what size fault can be detected, what size fault is significant in each particular 
case, and at what rate will a detectable fault degenerate to a no-go condition? 

The logic device hardware and technology presently exist to accomplish mechanical 
device readiness assessment. Minimum packaging size would be approximately 
210 cubic inches, cost (in production quantities including manufacturing) would be 
about $12,000 each, and each would consume 27 watts of power. 

A reduction in logic device size, weight, and power consumption could be made possi- 
ble by: 

a. The development of large-scale integrated circuits and hybrids specifically 
tailored to the logic device application. 

b. Dedicating the design for each logic device to satisfy a specific mechanical 
component . 
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The first approach is recommended because it would significantly reduce the physical 
characteristics of the logic device and because the developmental cost could be amor- 
tized over many logic devices. The latter approach is not recommended primarily 
from the standpoint of the expense incurred for the design and development of many 
special-purpose logic devices. 

State-of-the-art technology is changing rapidly in the area of semiconductors; making 
possible, in the next year or two, the development of logic devices with increased 
performance and reliability, while undergoing an estimated 30 percent reduction in 
package size, weight, and power consumption. 
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System concepts may dictate that much of the processing function should be accom- 
plished in a centralized processor as depicted in Concepts 2 and 3. Table 2 highlights 
the conceptual differences. 

The typical application of the logic device may require varying degrees of dedication , 
measurement acquisition, and processing capability. For this reason, the logic de- 
vice design should be modularized, to the extent possible , such that the logic device 
configuration can be selected based on the LRU requirements for readiness assessment, 

LOGIC DEVICE FUNCTIONS 

Mechanical device readiness assessment parameters can be selected, and instrumen- 
tation is available, or can be developed, to provide electronic presentation of those 
parameters; however, processing and interpretation of this data, to translate it into 
meaningful go, no-go caution signals, must employ digital logic. 

The logic device provides those functions necessary to automatically determine the 
operational status of the mechanical component. These functions are: 

• Measurement Acquisition, 

• Data Processing. 

• Status Processing. 

• Memory and Software. 

• Self-Test. 

• Bidirectional Communications. 

• Stimuli Generation and Distribution. 

Figure 3 depicts the logic device and its functional interfaces. 

LOGIC DEVICE CAPABILITY 


Status Processing 

Status processing functions within the logic device will provide the component status 
continuously or when requested by an external source. The component status will be 
one of go. no-go. and caution. The status of the component will be formatted into a 
digital word compatible with data bus techniques. The go status indicates that the 
component is well and that no degradation has been sensed either by direct measure- 
ment or by the diagnostic routines within the logic device. 
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Concept Matrix 































Figure 3. Logic Device Functional Interfaces 


The caution status indicates that component performance degradation has been sensed 
either by direct measurement or by diagnostic routines. The caution status further 
indicates that the component is still capable of performing its intended function within 
its operational limits. The caution status will be accompanied by an explanation iden- 
tifying the component approaching possible malfunction and the cause , determined by 
the logic device, thus providing fault prediction at the component or line replaceable 
unit level . 


The no-go status indicates that the component is not capable of operating within normal 
operational limits. The no-go status will be accompanied by an identification of the 
malfunctioned component and the cause, determined by the logic device, thus providing 
fault isolation at the component or LRU level. 
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Memory and Software 

Memory and software contained within the logic device must be adequate to accomplish 
the processing functions. This includes memory for program storage as well as data 
storage for stimulus distribution and generation, measurement acquisition, data proc- 
essing, status processing, bidirectional communication, and logic device self-test. 

Because of the number of sensor techniques and the processing techniques required to 
assess the readiness of a given component, the software development will require an 
extensive verification program to thoroughly evaluate the logic device -mechanical 
component relationship. This evaluation will be necessary to confirm the test point 
location, sensor selection (sensitivity and selectivity), diagnostic routines, signal 
conditioning, stimulus generation, and the overall ability of the logic device to assess 
the readiness, predict failures, and isolate the fault. Complete specifications of test 
algorithms will require that special attention be given to each logic device input when 
component assessment is completely automated. 

Problems can be anticipated in the generation of algorithm specification. It is gener- 
ally difficult to specify necessary and sufficient test conditions or limits for all possi- 
ble states that may exist. Further, there are no clear-cut rules or guidelines as to 
what constitutes a reasonable limit specification, as an example, complex wave-form 
analysis. This means that the logic device must have the necessary flexibility to meet 
unspecified requirements with a minimum effort. Experience with logic devices indi- 
cates that programmable memory may be replaced with Read Only Memory (ROM) at 
that point in time that the full test and diagnostic procedures for a particular device 
have been tested, tried, and found to be true. 

Finding the most effective discriminant or discriminants for each mechanical compo- 
nent, in the operational environment, is a problem having two basic solutions. Statis- 
tically, if a sufficiently large sample of signatures from good and malfunctioning com- 
ponents is available, it is possible to evaluate a number of discriminants and to select 
the most effective. The success of this approach depends entirely upon a good statisti- 
cal sample, hi many cases, such a sample is not available or would be unreasonably 
expensive to obtain, A second approach is based on the understanding of the mechani- 
cal component and the process by which a particular signature is generated. This 
usually requires a thorough study of the mechanics of the component, operational char- 
acteristics, and environment, so that a model for normal and abnormal signatures can 
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A STUDY OF TECHNIQUES FOR 
THE AUTOMATED VERIFICATION OF 
REDUNDANCY 


F. A. Ford 
T. W. Hass linger 

Radiation / Incorporated / Melbourne, Florida 
W. R. McMurran 

NASA, Kennedy Space Center, Florida 


INTRODUCTION 


This presentation is concerned with the 
problem of verifying the operation of equipments 
in redundant configurations. The facts presented 
are essentially those developed by a NASA- 
sponsored study addressing this problem. See 
Figure 1. 

The presenter was Dr. Alan Ford, of 
Radiation Incorporated, who served as study 
director on that study. 
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Figure 1 



DISCUSSION 


The stringent requirements placed on equipment 
reliability and availability by operations such as 
that of the space shuttle necessitate the extensive 
use of redundant equipments. While reliability 
goals may be apparently achieved by increasing 
redundancy, in practice, the attendant increase in 
system complexity may tend to degrade the accuracy 
of knowledge concerning system readiness. This 
knowledge may be required for mission planning, 
such as abort or go-no-go decisions, for decisions 
concerning whether to go to a backup system — and 
if so which system, or for maintenance purposes. 

Where one-shot missions are concerned, 
repetitive checkout is not required and long count- 
down periods allow redundant equipments to be 
verified individually, with any system reconfiguration 
which is necessary for checkout being perfectly 
allowable. Indeed, in many instances, checkout 
of redundant equipment after installation may not 
be necessary at all. See Figure 2. 

However, in the cases of ground support 
equipment which is employed on a repetitive basis 
and of reusable spacecraft, periodic checkout becomes 
a requirement. Furthermore, short turnaround times 
and the desire to make near real-time decisions on 
equipment performance for mission planning purposes 
in large part rule out the option of reconfiguring 
systems for checkout. These considerations have 
prompted the investigations reported here. 
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The problem addressed here is that of 
gaining status information concerning 
redundant equipments. Knowledge of 
status maybe required for mission planning, 
such as go, no-go decisions, determinations 
of when to go to a backup systems and to 
which system to resort, and for maintenance 
purposes . 


PROBLEM 


REUSABLE REDUNDANT EQUIPMENT 

FUEL VALVES 
HOLD-DOWN ARMS 
COMMUNICATIONS DEVICES 
DATA TRANSFER DEVICES 

KNOWLEDGE OF STATUS NEEDED 

MISSION PLANNING 
USE OF BACKUP SYSTEMS 
MAINTENANCE PURPOSES 


Figure 2 



While several varieties of checkout equipment 
are presently in use, it is true that none are capable 
of verifying redundancy without disrupting the system. 
See Figure 3. In general, they are capable of 
assuring that a function is available, but where 
several items are capable of performing the same 
function, no indication of which ones or how many 
of those items stand ready to properly execute the 
function may be derived. The major questions to 
be answered then are the following: See Figure 4. 

a. Among existing equipments, which are 
adaptable to redundancy verification? 

b. What methods of verification are to be 
favored and what are the advantages 
among the various techniques? 

c. What features should be incorporated 
into redundant designs in order to assure 
that the resulting equipments will be 
verifiable? 

As a first step, consider the features which 
characterize a redundancy design. The list 
includes load sharing, degree of redundancy , 
distinguishable outputs, recovery time, and 
numerous others. See Figure 5. When such a 
list is investigated item by item, it is discovered 
that only four features require attention in order 
to consider a redundant configuration with regard 
to its verification. These are: See Figure 6. 
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Short turnaround times, such as those 
associated with shuttle operation, 
force a need for status verification 
without system reconfiguration. No 
existing equipment is capable of 
verifying the level of redundancy 
present or operating. 
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The questions presented are: 

a) Of existing equipments, which, are 
adaptable to verification? 

b) What verification methods are to 

be favored and what are the relative 
advantages among the techniques 
available? 

c) What design features should be 
sought in future equipment pro- 
curements in order to assure 
adaptability to verification 
equipment? 


QUESTIONS 


1. EXISTING EQUIPMENTS ADAPTABLE? 

2. VERIFICATION METHODS TO BE FAVORED? 
ADVANTAGES AMONG VERIFICATION 
TECHNIQUES? 

3. DESIGN FEATURES TO ASSURE 
ADAPTABILITY? 


Figure 4 
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One may compile a long list of features 
which characterize a redundancy design. 



Back-up Capability 


Recovery Time 


Etc. 


Figure 5 
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Only four of the many features are 
important for the purpose of verification. 


FEATURES IMPORTANT TO 
VERIFICA TtOPil 

• Distinguishable Outputs © Failure Detect Scheme 

• Verification Policy • Output Variation 


Figure 6 
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Distinguishable Outputs 


Whether the individual outputs of the several 
redundant items can be distinguished one from the 
other has a heavy influence on the verification of 
those items. If only a common output from a group 
of redundant equipments is available, for one thing, 
it is obviously impossible to trace a failure to one 
of those items. 

Output Variation 

Jt is important to know whether the output of 
a redundant set of equipment varies with the number 
of properly operating elements of that set. 

Verification Policy 

Whether it is necessary to perform verification 
on a continuous basis or only on a periodic basis 
will influence verification design. 

Failure Detect Scheme 


The verification approach will be influenced 
by requirements imposed as a result of the failure 
detect scheme; i.e. , it is desired to know the 
status of each element or only that a given level 
of operating redundancy is available (perhaps two 
out of three) . 
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Of these four features, only two, distinguishable 
outputs and output variation are intrinsic to the 
redundancy design. The other two are fixed by the 
requirement of the verification process. 

By setting up a dichotomous situation with regard 
to each of the four features above and enumerating all 
the possible combinations of features, mutually 
exclusive classes for redundancy (with respect to the 
needs of verification) may be established. These 
classes are defined in Figure 7. The figure should 
be read, for example, as a class A situation being 
one wherein the outputs/effects of each redundant 
element are distinguishable, it is required only to 
know the number of operable elements and not the 
status of each element, continuous verification is 
required, and the output of the redundant set varies 
with the number of operational elements in the set. 
Several combinations of features lead to situations 
which are inherently unverifiabie. These situations 
have been lumped together into class H. These 
definitions are important in that they form a basis 
for discussing redundant situations which is independent 
of the function and form of the redundant elements and 
in that unverifiabie situations are identified. 

A design process, a general approach to the 
problem of designing a verification system has been 
defined. The process is outlined in Figure 8. An 
important feature of the process is the basic division 
of the problem into two problems, the set problem 
and the group problem. While no formal definition 
will be offered here, the group problem is the large, 
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Classes for redundant equipment may be 
established in terms of their character- 
ization by the four features previously 
mentioned. This leads to the identification 
of situations which are inherently unverifiable. 



120 


Figure 7 











A general process for designing verification 
equipment has been established. The overall 
problem may be treated either as a set problem 
or as a group problem. Its treatment as one 
or the other of these will be dictated by 
characteristics of the redundancy to be 
verified. 


VERIFICA TION 
DESIGN PROCESS 



Figure 8 


121 




general problem (a group may contain several 
separate occurrences of redundancy and some 
may be internal to others) and the set problem 
is the special, but frequently encountered, 
problem of a single occurrence of redundant 
equipment which may be verified independent 
of other occurrences of redundancy. See 
Figure 9. A group may contain several sets 
but not vice versa. As an example, three logic 
modules arranged in a majority voting manner 
would constitute a simple set. It is the set 
problem which has received the most attention 
in this work. 

By considering what is truly necessary to 
derive a statement of operational integrity of 
redundant equipments, a general model for the 
verification process has been developed. This 
model pictures the process as consisting of five 
functions. See Figure 10. The first of these 
is Coincidence Development, where some type 
of comparison is formed. The second is 
Parameter Estimation, basically a smoothing 
operation. The third function is Mapping to 
Conditional Status. In this function, a state- 
ment of operational integrity is arrived at from 
the information developed in the two previous 
functions. This statement must be made on a 
conditional basis in many cases, because, for 
example, a "bad" output can be taken as an 
indication of improperly operating equipment 
only if it is known that the input to that equip- 
ment is "good." Rather obviously, then, the 
fourth function is that of Status Resolution, a 
function which removes conditionality from the 
statement. The fifth and final function is that 
of Status Reporting; it encompasses the machine/ 
man interface. The function of Coincidence 
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A simple set of redundant equipment contains 
no redundancy within any given element. A 
group of redundant equipment may contain 
several various occurrences of redundancy. 



SET 


A) A SIMPLE SET 

(LOGICAL OR RELIABILITY DIAGRAM) 


Figure 9 
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Development has the strongest influence over 
redundancy design since it is the function which 
interfaces with the equipment being verified. 

See Figure 11. 

Within the Coincidence Development function/ 
comparisons may be developed in one of three 
ways; the comparison may be between (or among) 
the outputs of an equipment being verified, 
between such an output and a reference, or between 
the input and output of an equipment being verified. 
From these three basic methods of comparison, 
categories for Coincidence Development techniques 
have been established. These are listed on 
Figure 12 . 

In order to provide the information necessary 
for selecting among the Coincidence Development 
techniques available, bases for comparison have 
been developed and appear on Figure 13. Each 
of the techniques have been investigated with 
respect to these items. 

Realizing the advantages and limitations of 
each of the techniques, a statement of the appli- 
cability of the various techniques has been set 
forth in the matrix of Figure 14. It may be noted 
that not only the class of redundancy being verified, 
but also the type of signal used for verification are 
important to the selection of a Coincidence Develop- 
ment technique. See Figure 15. 

A process for selecting among the Coincidence 
Development techniques available is shown in 
Figure 16. The tenant signal is that signal which 
would exist in the system in the absence of a need 
for verification; i.e. , not a signal injected for 
verification purposes. 
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A very simple example of implementing 
the first three functions of redundancy 
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COINCIDENCE COINCIDENCE PARAMETER STATUS MAPPING CONDITIONAL 

DEVELOPMENT VARIABLE ESTIMATION VARIABLE STATUS 




One may form a categorical listing of 
techniques available to perform the 
function of Coincidence Gevelopment. 



Figure 12 
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Failure Types Detectable - Can the technique 
aid in determining what has gone 
wrong, or only indicate that something 
has gone wrong? 

Shareability - To what extent must equipment 
to implement this technique be 
tailored to the equipment being 
verified? 

Type I & Type II Errors How prone is this 
technique to making verification 
errors? 

Assist in Status Resolution - Does the use of 
this technique decrease requirements 
on the Status Resolution function? 

Complexity - How simple or complex is the 
implementation of this technique? 

Digital Implementation - Is this technique 
amenable to digital implementation? 

Minimum Sampling Rates - What restrictions are 
placed on minimum sampling rates by 
the use of this technique? 

Unsymmetrical Redundancy - If the redundant 

elements are not identical, will this 
influence the use of a given technique? 



© Failure Types Detectable © Complexity 

® Shareability • Digital implementation 

© Type I and Type 11 Errors ® Minimum Sampling Rates 

@ Assist in Status Resolution © Unsymmetrical Redundancy 

Figure 13 


128 



An applicability matrix has been developed 
to express ranges of adaptability of the 
various techniques for Coincidence Development. 
This adaptability is expressed in terms of 
the properties of the signal to be used for 
verification and ‘in terms of the redundancy 
categories or classes which were established 
earlier. 


APPLICABILITY MATRIX 



Figure 14 
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A process for the selection of coincidence 
development techniques has been devised. 

The required inputs to the design have 
been defined as have the interfaces between 
the user and the designer of the verification 
equipment. The tenant signal is that signal 
which exists in the equipment being verified 
in the absence of any requirement for verifi- 
cation; i.e., the signal that would be there 
anyway . 



Figure 16 
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After the Coincidence Development function 
forms a comparison, and after the results of that 
comparison are smoothed by the Parameter Estimation 
function. Mapping to Conditional Status functions 
as a simple partioning process. It will often be 
desirable to use two or more properties of a signal 
in order to derive a statement of status. This 
results in a multidimentional status variable, 
the status variable being the output of the Parameter 
Estimation function. When the status variable is 
multidimensioned , it will generally be possible to 
set up a truth table to translate measurements into 
a statement of conditional status. 

The achievement of continuous verification will 
frequently be a very difficult task. The question 
of what degree of mission success is attainable if 
only periodic verification is employed was addressed. 
The result is a set of curves, an example of which 
appears as Figure 17. The likelihood of mission 
success, 1-a, appears as a parameter with the time 
between verifications, T, being a function of the 
mean time between failures of an element in the 
redundant set. Results are available for mission 
success criteria which require one of two, one of 
three, and two of three (corresponding to the majority 
voting case) redundant elements to operate success- 
fully. 

In summary, this work has resulted in a meth- 
odology for the design of redundancy verification; 
it has provided means for identifying situations which 
will be uni verifiable; see Figure 18, it has resulted in 
tools, such as the graph of Figure 17, which assist in 
making the choice between continuous and periodic 
verification; it has produced design criteria to be 
imposed on redundant equipment in order to ensure 
that verification will be possible; and, finally, see 
Figure 19, it has provided guidance for implementing 
the previously identified functions of verification. 
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Figure 17 


The causes of an unverifiable situation are: 

a) characteristics of the situation 
place it in redundancy class H. 

b) inaccessibility of the electrical 
points necessary for verification. 

c) the signal available for verification 
is not sufficient to establish the 
desired confidence in the verification. 

d) basic incompatibilities between 
verification equipment and equipment 
being verified. 


UN VERIFIA BL E SITU A TIONS 

1. Redundant Situation cz£> Class H 

2. Electrical Points Inaccessible 

3. Signal Available^^> Verification Confidence 

4. Basic Incompatibilities 

Figure 18 
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SUMMARY 

METHODOLOGY FOR VERIFICATION DEVELOPED 

UNVERIF1ABLE SITUATIONS IDENTIFIED 

AIDS FOR JUSTIFYING CONTINUOUS VERIFICATION 

DESIGN CRITERIA DEVELOPED 

GUIDANCE FOR IMPLEMENTING VERIFICATION 
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SPACE SHUTTLE OPERATIONS ANALYSIS 
BY COMPUTER SIMULATIONS 

Don G. Satterfield 

International Business Machines Corporation 


SPACE SHUTTLE OPERATION ANALYSIS 


Planning for the Space Shuttle launch operations will be an order of magnitude greater 
than that required in all previous launch programs. 

Optimization of fleet size, facilities and support equipment must be accomplished if 
cost effective goals of the program are to be met and, indeed, if program launch rates 
and schedules are to be maintained. Figure 1 lists alternate concepts that must be 
evaluated over the entire program to determine the most efficient and effective mode of 
operation. 

o Multiple vehicles will have to be processed in parallel if the high launch rates 
are to be achieved. On previous launch programs, vehicles have been processed 
serially. 

o Requirements for a variety of space shuttle missions must be handled efficiently. 
On the previous launch programs long lead time was available for mission 
planning. Future space shuttle flight programs must be highly flexible to 
respond to a variety of new requirements. 

o High launch rates using a fixed fleet size will require short turnaround cycles. 

A controlled transition must be made from the research and development phase 
of the program to the fully operational phase. 

o The variety of missions to be flown will contain a number of different payloads. 
Timely integration of payloads must be accomplished to avoid constraints to 
the high launch rate. 

The use of computer simulations provides an effective method to aid in the optimization 
of fleet size, facilities and support equipment. It provides a useful tool to test the 
impact of new requirements as well as evaluate the risks associated with decisions. 
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SPACE SHUTTLE OPERATIONS MODEL 


The mode! of a system is the heart of any simulation. The model that is being used 
for the space shuttle was generated using functional flow diagrams developed during 
Space Shuttle Phase B studies. Further development of the functional flow (shown) 
has identified requirements for a number of vehicles, a number of facilities and a 
number of other support items. Time estimates have to be made to accomplish those 
tasks identified as requirements to process a vehicle. 

The functional flow shows the logic and decision points for each vehicle from launch 
through landing. See Figure 2. A software model has been developed that contains 
the same logic. The model reacts to a simulated vehicle in a manner similar to the 
real system. When launch rates are introduced into the simulation model, data 
obtained will give insight into the system's behavior. 

Significant features of the model include: 

o Learning curves are implemented for each task. 

o Vehicles are serialized for individual investigation. 

o Tasks are worked on two or three shifts, five or seven days a week. 

o Durations of missions are varied to match launch rate model. 

o Operations from first vehicle delivery through total ten-year program are 
simulated. 

o Reports are tailored to specific area of investigation, 
o Modification of the model is easy. 
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SPACE SHUTTLE-FUNCTIONAL 
FLOW-OPERATIONS MODEL 
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BASIC MODEL 


The basic model (see Figure 3) was exercised to evaluate the system's ability to 
accomplish the 445 launch mission model. The model was iterated a number of times 
to establish the required facilities and fleet size. It must be emphasized that the 
resources tabulated by the model are only as accurate as the estimates of time required 
to perform individual tasks. Waits for support were encountered in the model flow but 
none were of such significance as to affect the launch rates. The maximum fleet size 
utilized during the first year was determined to be three Boosters and four Orbiters. 

This exercise demonstrated that the facilities and the number of vehicles identified 
could support the launch rate. Other data obtained included: 

o Number of flights by each vehicle, by serial number, by year 

o Year and day each flight launched 

o Serial number of booster flown and identification of a specific orbiter 
o Number and average time of waits encountered during each year - reason 
o Average utilization of facility by year. 
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Figure 3 
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EXAMINE THE IMPACT OF RESCUE REQUIREMENTS 


The basic model was modified to examine the impact of rescue requirements, see 
Figure 4. A test was inserted in each launch process to check if a rescue vehicle 
would be available for launch in the required time. If a rescue vehicle was not ready 
within the required time, the prime vehicle was held until the rescue vehicle became 
available. The test was made just prior to fueling the prime vehicle. 

Three conditions were investigated: 

Condition 1 - Rescue launch capability required 32 hours after launch of the prime 
vehicle. 

Condition 2 - Rescue launch capability required 16 hours after launch of the prime 
vehicle. 

Condition 3 - Rescue launch capability required 16 hours after launch of prime 
vehicle. With reduced launch rate, impact of reduced fleet size. 
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EXAMINE IMPACT OF RESCUE REQUIREMENTS 


• CONDITION 1 


« CONDITION 2 


• CONDITION 3 


- RESCUE LAUNCH CAPABILITY WITHIN 32 HOURS 
4 BOOSTERS - 5 ORBITERS 

- RESCUE LAUNCH CAPABILITY WITHIN 16 HOURS 
4 BOOSTERS - 5 ORBITERS 

- RESCUE LAUNCH CAPABILITY WITHIN 16 HOURS - 
REDUCED FLEET SIZE 

3 BOOSTERS - 4 ORBITERS 


Figure 4 
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CONDITION 1 


The rescue requirement has minimal impact on the number of launches achieved. The 
mission model was met in every year, except for the 9th and 10th years. The notable 
impact was in the utilization of the launch pad and the mobile launchers (Ml). Waits 
were encountered for the mobile launchers but total launches achieved were only reduced 
by five. " 

A total of 440 launches were achieved. See Figure 5. 
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LAUNCHES 


CONDITION l 



• 440 LAUNCHES 

• LAUNCH PAD NO CONSTRAINT 

• WAIT ENCOUNTERED FOR MOBILE LAUNCHERS 


YEAR 
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10 

NUMBER 

21 

25 

23 

22 

AVERAGE HOURS 

22 

37 

39 

36 


• MINIMAL IMPACT ON BASIC MODEL 

• FLEET SIZE 

ORBITER - 5 

BOOSTER - 4 


Figure 5 
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UTILIZATION CHART 


Basic and Condition 1 


Figure 6 shows the impact of the rescue requirements on the launch pad and the mobile 
launchers. The early peak is due to a static firing requirement for initial delivery of 
each vehicle. The high utilization of the mobile launcher indicates that it could be the 
constraining item in the flow. 


147 




Figure 6 
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CONDITION 2 


The rescue requirement has serious impact on the number of launches achieved. The 
mission model was met only during the first six years of the program. Numerous waits 
of long average duration were encountered. These waits resulted in reduced launch 
rates . 

The model was changed to add one mobile launcher, then the model was re-exercised. 

A total of 421 launches were achieved of the planned 445. 

The model was changed to reduce launch pad mobile launcher refurbish time by one day 
(reduced from five days to four days). The effect was very similar to adding one mobile 
launcher. Launches achieved numbered 422. See Figure 7. 
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CONDITION 2 
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• 371 LAUNCHES 

• LAUNCH PAD MINOR CONSTRAINT 

• WAIT ENCOUNTERED FOR MOBILE LAUNCHERS 

YEAR 6 7 8 9 10 

NUMBER 45 53 52 S2 52 

AVERAGE HOURS 69 169 172 172 164 

• SIGNIFICANT IMPACT ON BASIC MOOEL 

• 442 LAUNCHES CAN BE ACHIEVED BY REDUCING 
PAD AND MOBILE LAUNCHER REFURBISH BY ONE 
DAY 

« 421 LAUNCHES CAN BE ACHIEVED BY ADDING 
ONE MOBILE LAUNCHER WITH NO CHANGES IN 
REFURBISH TIME 

• FLEET SIZE 

» ORBITER - 5 

BOOSTER - 4 


Figure 7 
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CONDITION 3 


The basic model was returned to the original configuration and the fleet size was reduced 
to three Boosters and four Orbiters. 

The model was exercised and 369 launches were achieved. 

The conclusion: if the reduced launch rate achieved in Condition 2 is acceptable, 
reduction of fleet size can be accomplished with minor impact. 

This example identifies the importance of re-examining a flow after initial constraints 
are indicated. See Figure 8. 
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LAUNCHES 


CONDITION 3 


• 369 LAUNCHES 

• LAUNCH PAD NO CONSTRAINT 

• WAIT ENCOUNTERED FOR MOBILE LAUNCHERS 

YEAR - 5 6 9 10 

NUMBER 11 12 

AVERAGE HOURS 43 53 43 21 

• IF LOWER LAUNCH RATE ACHIEVED IN CONDITION 2 - 
MINIMAL IMPACT ON FURTHER REDUCING FLEET SIZE 

• FLEET SIZE 

ORBITER - 4 

YEAR BOOSTER - 3 


Figure 8 
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UTILIZATION CHART 


Conditions 2 and 3 


Figure 9 indicates the constraints preventing achievement of the planned launches. The 
condition 3 plot indicates that other elements in the flow are constraining launches. The 
most probable cause is the reduced fleet size for condition 3. 
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CONCLUSIONS 


Computer simulation is a capability that provides an effective means of testing and 
evaluating proposed operations concepts. The system's behavior is modeled by a 
computer program which reacts to operating conditions in a manner similar to the 
planned operational flow of vehicles. Years of operations can be examined in a short 
time using simulation to gain insight, test hypotheses and the feasibility of alternate 
concepts. 

Computer simulation is not a precise analog of an actual system, therefore, the user 
must exercise careful judgment in setting up a model and in interpreting the results. 

Generating a computer simulation program is a difficult time-consuming task requiring 
extensive programming experience. To be most effective, a simulation model must be 
structured for rapid execution and be adaptable to modifications as work proceeds. To 
avoid extensive development costs, IBM's General Purpose Simulation System (GPSS) 
has been used to model Space Shuttle launch operations. 

It is apparent that detailed data produced by the model will become more meaningful as 
Space Shuttle program experience is gained. The model can serve as a valuable 
operational planning tool because of the availability of refined inputs. 

It is not suggested that modeling is the solution to all problems, but it is a valuable 
tool in the study of total program operations. The use of computer simulations will 
provide insight into program plans and produce data to aid in the decision making 
process. See Figure 10. 
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CONCLUSIONS 


• COMPUTER SIMULATION IS A VALUABLE TOOL IN ANALYZING 
SPACE SHUTTLE OPERATIONS 

• CARE MUST BE EXERCISED BY THE USER IN SETTING UP THE 
MODEL AND INTERPRETING RESULTS 

• GENERAL PURPOSE SIMULATION SYSTEM IS ADAPTABLE TO 
MODELING THE FLOW OF SPACE SHUTTLE OPERATIONS 

• THE COMPUTER SIMULATION TECHNIQUE CAN BE APPLIED 
TO OPERATIONS PLANNING 

• TOTAL PROGRAM IMPACT CAN BE ASSESSED AS NEW 
REQUIREMENTS ARE IDENTIFIED 


Figure 10 
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USING THE COMPUTER AS AN AID IN PLANNING 
OPERATIONAL ANALYSIS BY SIMULATION 

Raul D. Smith 

NASA, Kennedy Space Center, Florida 
INTRODUCTION 

How can you use a computer as an aid in planning? By providing a means of communi- 
cating with it! There are two problems in communicating with a computer, how you 
talk to it and how it talks to you. How you talk to it is relatively simple - through an 
interpreter - programmer! How it talks to you is really the problem. 

What usually comes out of a computer is a compromise. It depends on the interpretations 
between the user and the programmer and the programmer and the machine. See Figure 1. 
And once-in-a-whi le a keypunch operator throws in an interpretation or two. 

COMPUTER APPLICATIONS AND LOGIC 

No wonder the computer talks so much and in such strange manners: strange, that is, 
to a manager. The usual result of this wondrous addition to our brain and fingers is 
what I jokingly refer to as COMPLOP, communications plopped on your desk to be 
waded through to find the answer. See Figure 2. The analysis of this COMPLOP is 
in itself a formidable chore, and, until analyzed, its value is not known. 
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Figure 1 





To circumvent the problem, the obvious answers are (1) do not allow interpretations, 

(2) let the user make all the decisions, and (3) restrict the machine to calculations and 
repetitive operations. See Figure 3. 

How do you do this? By a graphic display! For planning, what do you want to know? 
The obvious questions are (1) What, (2) When, (3) How long, (4) How much, (5) What 
if? See Figure 4. These questions can be related to the simple parameters (1) Nomen- 
clature, (2) Time interval, and (3) Dependency. See Figure 5. These three parameters 
can be grouped naturally into a flow diagram, see Figure 6, and extended into a water- 
fall diagram. This is the medium of communications at the Kennedy Space Center. It 
provides a common basis of communications between all contractors and NASA, and 
between all levels of operations. The study of the operational support and programmatic 
effects of a change to this schedule are often time-consuming, complex, and tedious. 
Considerable effort is expended in manipulating these schedules and answering the 
questions of (1) How much, and (3) What if? 

The logic for this analysis has existed for some time. See Figure 7. Electric circuit 
design has allowed analysis for some years in determining the effects of a change in 
the circuit. And notice, the same parameters of nomenclature, time interval, and 
dependency are present. And also notice the addition of an element in a waterfall is 
just a change in dependency. See Figure 8. 

Many contractors are approaching the requirements of planning using a computer, 
McDonnell Douglas has ACTNET, IBM has GPSS, and Grumman, GE, and many others 
have operations models to answer the questions (1) How much and (2) What if? 


160 



COMPUTER OUTPUT 
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Figure 3 



GRAPHICS - THE ANSWER TO COMPLOP 
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Figure 4 
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Figure 6 












What is stated here is an attempt to put all these programs in perspective with regard to 
the operations, to show that computer programs need not be tied around data but only the 
logic of the operations. See Figure 9. Then the logic programs can be applied at any 
level of operations without a new program being required for each level. This is a 
significant point, because if the program is not a usable aid for the lowest entity in a 
program, it is usually not usable at higher levels. Incidently, taking the data out of 
the programming will be a cost saving in programming, as many users will understand. 

But, let's put the data in! See Figure 10. In a typical operational flow, commodities 
are associated with each step in the flow. See Figure 11. A data storage and 
retrieval system, linked with the operational flow can provide summary charts of any 
commodity we wish to examine under any condition of (1) What if, and (2) How much? 
Linear or accumulative plots of any commodity can be analyzed when that commodity is 
summed on the basis of the desired operational waterfall sequence. Similarly, the 
effects of multiple operations can be analyzed by the same techniques. 
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COMPUTER PROGRAMS FOR PLANNING 
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Figure 9 
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Figure 10 


















CONCLUDING REMARKS 


Without graphic communications, where a picture is worth a thousand words, and a 
means of relating pictures to real life, and changing the pictures rapidly and economically 
to reflect real life, computers will have little real use in managerial planning and in 
actual operations. With this capability, operational and planning personnel will have 
one of the most powerful tools they could possess. It allows a fast economical analysis 
of present problems, potential problems, and the avoidance of problems which need not 
be planned. 

Where are we now? We're not there yet! COMPLOP persists! See Figure 12. And 
the present methods of programming each specific task is costly. But we're not far 
away, and there are a few points to remember (see Figure 13) when computers and man 
can really communicate: (1) a computer is no substitute for human reasoning and 
(2) a human is no substitute for computer capability of repetitive operations, but a tool 
is no better than the man who uses it. 
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Figure 12 
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Figure 13 
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FLIGHT OPERATIONS AND SAFETY 


DYNAMICS AND CONTROL FOR ORBITAL RETRIEVAL OPERATIONS 
USING THE SPACE SHUTTLE* 


Marshall H. Kaplan**, William H. Yarber 1 

and Edward C. Thoms 




Edward J . 


Creehan 




Department of Aerospace Engineering 
The Pennsylvania State University 
University Parle, Penna. 16802 

Abstract 

Within the next decade manned space stations will be placed in orbits 
which already contain large numbers of discarded satellites and other objects. 
Retrieval or repair of at least some of this refuse is becoming increasingly 
urgent in order to insure success of many orbital missions and reduce satellite 
replacement costs. Consideration of technical problems associated with retrieval 
operations is of timely concern, particularly in view of the current development 
of an economical space transportation system, the space shuttle. The study dis- 
cussed in this paper is concerned primarily with dynamics and control problems 
associated with rendezvous and capture of an uncooperative object. A general 
discussion of retrieval problems is offered, and problems peculiar to rescue from 
a tumbling space station are briefly outlined. Specific areas considered with 
respect to retrieval operations include the problem of despinning an arbitrarily 
spinning object of moderate size, automatic orbit control for maintaining a given 
parking position relative to an object, transfer trajectories of a despin package, 
and techniques for determining spin axis and rate of an uncooperative body. 
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**Assistant Professor 
Graduate Assistant 
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Introduction 


Over the past 13 years mankind has placed in excess of 4,800 objects into 
earth, lunar, and solar crbits.^" At least 2,100 of these are still in orbit, 
most of which are circling the earth. There are only a few hundred satellites 
among this number, with the remainder consisting of launch vehicle upper stages, 
payload fairings, and other components related to insertion of satellites. 

Although the average number density of these objects is negligible, most are 
confined to just a few popular orbits, e.g., synchronous and low, inclined orbits. 
Large space stations will be placed in some of these orbits, while the probability 
of collision is continuously increasing due to further addition of satellites and 
launch vehicle components. Retrieval or repair of at least some of this discarded 
matter is becoming an urgent concern with regard to the success of many future 
orbital missions. 

The high cost of satellite replacement offers another incentive to develop 
retrieval and repair capabilities. Since use of the space shuttle is assumed for 
such operations, repairs could be carried out once the satellite is captured and 
secured by the shuttle. After renovation it could be returned to useful service. 

An alternative to in-orbit repair of a spent satellite is to deliver a replacement 
spacecraft and retrieve the damaged one for later repairs and return to orbit. 

An additional objective of space retrieval operations might be the return to 
earth of satellites particularly important to scientists and curators. Much can 
be learned from satellites exposed to the space environment for long periods of 
time. Furthermore, there is a great deal of prestige associated with retrieving 
some of our early spacecraft. 

A considerable amount of work has been done in the areas of space rescue, 
satellite inspection, rendezvous techniques, and space shuttle technology. However, 
several unique problems associated with rendezvous and docking with an uncooperative 
object have not been consider elsewhere. Of particular interest is the problem of 
despinning an uncooperative object of moderate size and arbitrary shape, which 
possesses an unknown spin rate about its major principal axis. A preliminary design 
of a remotely operated despin package is presented. Its configuration, dynamics, 
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and control systems are discussed in detail. Other problem areas considered 
in this paper include object detection and identification techniques, spin rate 
and axis orientation determination methods, automatic stand-off control for 
maintaining a given position relative to an object, and transfer maneuvers 
between shuttle and object. In addition, a general discussion of retrieval 
operations is presented. 

Operational Aspects of Retrieval 

This study is concerned primarily with the retrieval of unmanned, uncoop- 
erative objects of moderate size, e.g., weather and other scientific data 
collecting satellites whose operation has terminated due to any of several causes. 
Table 1 lists several possible candidates for retrieval. These satellites, and 
other objects, do not incorporate docking provisions, and, in fact, are likely to 
be spinning due to propellant leakage, valve or gyro failure, or initial dynamic 
state. It is assumed, however, that objects to be retrieved are spinning in a 
stable mode about their respective major principal axes of inertia. This is the 
state attained after a period of time in which kinetic energy is being dissipated 
by liquid sloshing, elastic deformation of structural members, or nutation dampers. 
For objects of the size considered here, the time required to reach a stable state 
is, at most, of the order of weeks, after significant attitude disturbances have 
stopped. However, large objects such as space stations which are tumbling, may 
require several months to passively dissipate enough energy in order to reach 
a stable spin state about the major principal axis. Techniques presented here 
would not be directly applicable to rescue from such a space station, primarily 
because tumbling motion does not have an inertially oriented spin axis associated 
with it, which is assumed in the work reported here. 

Since the most economical means of reaching an object in a low orbit for 
retrieval, repair, or elimination will be by using the space shuttle, many aspects 
of the operational sequence assume a man will be controlling the events and 
maneuvers. Automatic control systems are assumed whenever practical, but the 
nature of such missions requires the ability of a man to make decisions and perform 
functions which are prohibitive in an automated mode, because of the inherent 
uncertainties involved. Missions to high altitude orbits would require very 
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similar maneuvers. However, shuttle performance is expected to limit it to low 
altitude orbital missions. Nevertheless, the state of knowledge is assumed to 
be compatible with retrieval missions in the time period of interest. 

The initial task in .a retrieval sequence is considered to be locating and 

identifying the object upon arrival in its predetermined vicinity. The size 

and shape of the search area will greatly influence the method of search and 

identification, and time ,to search. Furthermore, a successful rendezvous requires 

great accuracy in orbit determination. A non-cooperative radar rendezvous system 

for the space station program, which may also be of value to object retrieval 

2 

and rescue missions, has been proposed by industry, e.g., Westinghouse . It is 
understood that the accuracy of orbit determination by ground tracking will permit 
the shuttle to be guided very close to the target object. In fact, the search 
region within which the target is predicted to be located is a cone with a four 
mile diameter, five miles long (la), up to a possible 12 mile diameter, 15 miles 

3 

long (3a) , with the shuttle at the apex. The system offered, by Westinghouse 
for example, has a range of at least 30nm with range accuracy of about 1 percent 
and angular accuracy of 2 milliradians (30). Once in the search cone the system 
can automatically scan the region and detect an object in about a minute. 

One possible method of identification upon initial acquisition of an object 
employs a television camera guided by the radar tracking system. A zoom lens 
can be used to receive an image with limited resolution. If the object is spinning 
a "frozen" scene television display can be produced. This is equivalent to using a 
mechanical strobe, except the picture is "flashed" on a storage tube. The image 
can be held up to about 2 minutes or reinforced at the spin rate of the object. 
However, the degree of resolution is somewhat uncertain with such a system. To 
determine the dynamic state and physical condition of a spinning body with assured 
accuracy and image quality, an optical or electronic strobe is very effective once 
the shuttle is within a few hundred feet of the target. 

After locating and identifying the object, orbital maneuvers are executed to 
approach and acquire a stand-off position relative to the target. If the object 
is not spinning or has some minimal spin rate and is of acceptable size, a direct 
docking may be attempted. Otherwise, the shuttle must maintain a stand-off or 
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parking position while the despin package is deployed to eliminate angular 
momentum. Objects which are too large for retrieval are not considered here. 
However, there are relatively few such items, because their orbits tend to 
decay rapidly due to pronounced drag effects. 

4 

Rendezous maneuvers, which are considered to be standard, are anticipated 
during approach of the shuttle to the stand-off position. Upon arriving at this 
position an autopilot will be enlisted to maintain the spatial relationship with 
the target while the attitude control system maintains proper orientation. 

Assuming a despin maneuver is required, the despin package must make an orbital 
transfer from the shuttle to a position close to the object. The optimum 
position is one in which the axis of the package is in line with that of the 
object spin axis. Fine adjustments are to be made after one of the shuttle crew- 
men checks alignment via remote television cameras on the package. 

Actual attachment to and despin of the object is carried out by a ring which 
is aligned with the object spin axis. This ring is spun up to the same angular 
speed as the target, while the main body of the despin package remains 3-axis 
oriented in an inertial frame. After the ring is synchronized through the use of 
a television camera, it is translated along its axis with the main body until 
a position near the center of mass of the object is reached. At that point attach- 
ment arms are extended from the ring toward its center. Once the target is 
secured by these anas, despin is executed with momentum being dumped via attitude 
jets on the main body of the package. A docking device on this inertially 
oriented body allows the shuttle to rendezvous and recapture the package with 
object in hand, and stow it in the cargo bay for return or repair. 

In many cases it is desirable to eliminate a piece of space junk without 
carrying it in the shuttle. To accomplish this a remotely fired retro-pack could 
be attached to an object after despinning. Of course, this device would reentry 
with the object and would not be reusable. 
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Pespin Package Transfer Trajectories 

Although the actual transfer of the despin package from shuttle to object 
may require several impulses and corrections, an ideal transfer might be one 
in which only two impulses are applied, one upon leaving the shuttle position 
and one to eliminate relative closing velocity at the object. Thrust computa- 
tions are performed in a moving coordinate frame with origin at the target, as 
illustrated in Figure 1. The x-axis is positive along the direction of motion, 
y-axis is normal to the orbital plane, and z-axis is along the local vertical, 
in accordance with Project Apollo Standards. Equations of motion for a transfer 
trajectory to an object in a nearly circular orbit are well-known. ^ In the moving 
x, y, z frame, for thrust-free transfer, these equations are 

x + 2nz = 0 | 

..2 ( 

y + n y = 0 ) (1) 

z - 2nx - 3n^z =0 I 

3 1/2 

where n = (GM /a ) , the mean motion of the target in its orbit. For orbits 

£ 

of interest here, 

-3 

n 10 rad/sec. 

The solution of set (1) is readily obtained in closed form: 


x(t) = cos nt + (^2°. + 6z c ) sin nt + (x 0 - -^ £ -) - (3x c + 6nz 0 )t 

n n n 

y(t) = y 0 cos nt + ^ sin nt 

z(t) = sin nt - (-^ 5 - + 3z c ) cos nt + (-^a. + 4z 0 ) 
n n n 


( 2 ) 


Of course, the out-of-plane y- component results in simple harmonic motion. Since 
the shuttle is assumed to be in the object orbit plane, this component of motion 
is initially zero, and remains so for the transfer. The despin package will 
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Figure 1. Shuttle/Object Relative Position Nomenclature 



generally have to perform a terminal maneuver taking it out of the original 
orbit plane for alignment with the object spin axis. 

In-plane transfer motion is coupled between x- and z-components . Although 
this is stated as an initial value problem, the only acceptable values of 
initial conditions x D , z 0 , x c , and z 0 are those which result in x and z simultan- 
eously approaching zero at some reasonable time after leaving the shuttle. Values 
of x and z at that time represent the closing velocity between despin package 
and object, and a thrust maneuver is required to avoid collision and establish 
a parking position along the spin axis of the target and very close to it. 

Since solution set (2) is linear in initial velocity components, the required 
values of these components can easily be well approximated as functions of x G , z Q , 
and t by setting x = z = 0 and solving for x 0 and z 0 . As a further simplication, 
the shuttle is assumed to be positioned on the x-axis. Then z Q = 0, and initial 
velocity components are given as 

• - -nx 0 sin nt 

x ° 8(1 - cos nt) - 3nt sin nt 

2nx 0 (1 - cos nt) 

5,0 8(1 - cos nt) - 3nt sin nt 

These resulting expressions indicate that initial relative velocity requirements 
for the despin package transfer are functions of x D and time of transfer, t. For 
example, if the object is in a circular 200 km orbit with the shuttle positioned 
100 ft. ahead of it, in order to transfer the package in 15 minutes the initial 
velocity components must be 

x 0 = -0.068 fps 

z 0 - 0.100 fps 

The transfer trajectory for this case is plotted in Figure 2. The shape of this 
path is typical of such transfers. Closing velocity components are obtained by 
differentiating the position expressions, set (2) and evaluating x and z at the 
value of t corresponding to the transfer. 
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Figure 2. Example Transfer Trajectory of Despin Package 



The final approach angle a should correspond to the projection of the 
object spin axis onto the orbit plane. Then a final out-of-plane maneuver by 
the despin package will permit final alignment. For given shuttle stand-off 
position, this angle is only a function of transfer time. The computer required 
to make transfer calculations and generate commands can be housed in the shuttle 
and a data link used to control the despin package maneuvers. 

Shuttle Stand-Off Autopilot 

As previously discussed, the shuttle will be required to maintain a fixed 
relative position with respect to the target during despin operations. It is 
assumed that an automatic system will be used to control a position in the 
target orbit plane at an (x,z) location, as shown in Figure 1. Continuous 
range, range rate, and angle data may be provided by the tracking radar system. 
This information in combination with an inertial navigation system can be trans- 
formed to the x, y, z, x, y, z format and used by the autopilot to generate 
commands for the orbit control system. 

Automatic position control can be modelled by using the non-homogeneous 

£ 

form of equations (1) , 
x + 2nz = f 

x 

2 

y + n y = f 

2 

z - 2nx - 3n z = f 

z 

where f^, f ^ , f^ are the applied acceleration components, including both dis- 
turbance and control forces. As an example of control system synthesis, consider 
the simplified situation in which z Q is zero, as illustrated in Figure 1. 

This assumption leads to homogeneous initial conditions, and a valid transfer 
function, by defining a new coordinate, 

A = x 0 - x 

Initial conditions associated with set (3) become 
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A(0) = A 0 = 0, y (0) = y 0 = 0, z(0) = z 0 = 0 
A(0) = A 0 = 0, y (0) = y Q = 0, z(0) ~ z c = 0 


taking the Laplace transform of the differential equations and solving for 
A(s) , Y(s) , Z (s) gives 


A(s) 


- 0 s V F (V- , 2n , 

2, 2 2. x ,2,2. 

s(s+n) s(s+n) 


F z (s) 


Y(s) 

ZCs) 


2 2 y 

s + n J 


F.(s) 


2 2 z 

s + n 


F (s) + 


2 ' ° 2 F s (s) 

s(s z + n ) X 


(4) 


The control law assumed for this application implies the use of continuously 
variable thrusters. Since feedback is available from the tracking system on 
position and velocity, the control forces may be of the form 

f = - K (X - K A) 

CX X 1 


f 

cy 


= - K y (y - K 2 y) 


f 

cz 


- K (z - K z) 
z o 


where X, y, z and X, y, z are position and velocity errors, respectively. 
Negative signs in the brackets assure negative feedback. Of course, the refer- 
ence values, X , y , z^, y^, z^ are all nominally zero for this control 

situation. 

Figures 3 and 4 illustrate the block diagrams for the three components. 

Note that X- and z- components are coupled, as is evident from equations (3). 

To determine the system transfer functions, each input is taken separately. The 
y- component is uncoupled and has inner loop transfer functions 
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Figure 3, Block Diagram of \ , 2 Coupled Position Control 
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Figure 4. Block Diagram of Y-Component Position Control 






Y_ 
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K 

2 - 

2 2 

s + K s + n 

y 


F 2 2 

dy s + K s + n 

y 


and outer loop transfer functions 


K K 

.. . y — - 2 


s 2 + K s + (K K 0 + n 2 ) 

y y 2 


dy 


s 2 + K s + (K + n 2 ) 
y y 2 


where represents the y- component of disturbance force. 

The two coupled components represent a more difficult situation. Since the 
gain of the coupling term is of the order of the mean motion n, it is easily 
seen that the coupling has relatively little effect on the component systems, 
because the value of n is so low. Therefore, the coupling term will be neglected 
for the moment. An analog simulation was used to verify the validity of this 
assump tion . 

The A- component function in relations (4) is also complicated by the two 

zeros in the numerator of the system equation. Again considering the magnitude 

2 2 

of the mean motion, an approximation can be made by canceling the s - 3n term 

2 

with s in the denominator. These simplications result in a system consisting 
of three identical and independent components. Therefore, an analysis of one 
component is also valid for the other two. 

Steady state errors of the system are found by applying the final value 
theorem. Fpr a step input of unity, the steady state errors in the command 


signal are unity, and the steady state errors in x,y,z disturbances are (- — “) , 

11 ^1 K x 

(pr — ~ ) , and (— — — ) respectively. Thus, as amplifier gains are increased these 

K ^ K 

3 z 


'K 0 K 
2 y 


disturbance errors decrease. 
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The root locus method was used to establish stability criteria and deter- 
mine required compensations. Coupling effects were neglected for the stability 
analysis. Since coupling is so small, stability should not be effected. For 
the y- component, the innerloop pole-zero plot consists of two poles symmetri- 
cally located on the imaginary axis. As the gain is increased with negative 
feedback the locus loops down to the left half of the real axis. Since the 
pole locations correspond to the dimension of the mean motion, low frequency 
and high damping result even at low gains. A high gain will improve the 
response in the total system (outer) loop, giving two poles on the real axis, 
one at zero and the other at the value of K in the left-half plane. With 

y 

negative feedback in the outerloop this locus will have two vertical asymptotes 
breaking away from the real axis at the point corresponding to half the value 
of K . Therefore, by varying both and , the root locus can be positioned 
as desired in the left-half plane. Selection of exact values will depend on 
required response characteristics. 

Since approximations involving the mean motion and coupling effects between 
x- and z- components resulted in identical transfer functions for all three 
components, the stability analysis for each is identical to that of the y- component. 
Validity of ignoring this coupling on stability can be demonstrated qualitatively. 

The original transfer function, including coupling and mean motion terms, indicates 
four poles and two 2eros in the vicinity of the origin. One zero is in the right- 
half plane; implying probable instability of the system. The difficulty in 
compensating this zero may be excessive. However, the associated frequency of 
instability is of the order of the mean motion, i.e., one cycle per orbit. The 
total system frequency should be several orders of magnitude greater than this, 
indicating that the system will respond long before an instability can reach a 
significant value. 

The control system can now be designed to meet the required response criteria. 

Bv proper selection of gains the desired combination of damping ratio, overshoot, 
and natural frequency can be achieved. Since each component is represented by 
a second order system, natural frequency and damping ratio are obtainable directly 
from the location of the poles on the corresponding root locus diagram. ^ 
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An analog simulation of system response was made in order to check validity 
of approximations made in the analysis and obtain response curves for all three 
components. The analog program was developed by substituting values for gain 
constants into the differential equations. These values were chosen such that 
the damping ratio would be about 0.8 and the natural frequency about 30 rad/sec. 
This led to an innerloop gain of 51.2 and outerloop gain of 20.0. Single y- 
component system response in both position and velocity was found for unit step 
and impulsive inputs, as shown in Figure 5. Inputs are either command signals 
or disturbance forces. Significance of the mean motion magnitude on response 
was, in fact, found to be negligible for these operating conditions. Thus, 
responses of the y-component system represent all three systems. 

From these considerations it seems possible to use three simple control 
systems to maintain the relative position of an orbiting vehicle with respect 
to another object. Since each system is a simple second order type, it has 
excellent stability characteristics. 

Spin Axis and Rate Determination 

As mentioned previously, it will be necessary to determine the spin axis 
orientation and angular rate of a passive object before capture by the space 
shuttle. There are several techniques which might be useful for spin determina- 
tion. Two are considered here, one method which has already been briefly dis- 
cussed employs a television "frozen" scene display. The other method makes use 

g 

of a mechanical strobe developed by E. T. Pearson of the Frankford Arsenal . 

This device utilizes two counter rotating prisms to produce a fixed image when 
the prism speed is synchronized with the object spin rate. The method is shown 
schematically in Figure 6. A calibrated drive motor control can be used to 
determine the actual spin rate. The entire unit may be mounted on a rotatable 
platform for limited angular adjustments at its assigned viewing port in the 
shuttle. Application of this device would be limited to providing spin axis 
and rate information to be used for generation of commands to the despin package 
for its initial alignment maneuvers upon reaching the target. Although feasibility 
is still in question, the mechanical strobe offers excellent image resolution 
continuously and is being studied further. 
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Figure 5. Response of Y-Component Position Control to Impulsive and Step Inputs 








Final alignment with the object spin axis may be accomplished through the 
use of two television cameras which provide a bifocal view of the target. The 
cameras will be focused at a given distance from the target which will permit 
alignment and stand-off parking simultaneously. When the angle between the 
spin axis and the center line of the despin package is zero, the axes will be 
aligned. At this point the television display may be operated in the stop- 
action mode and cycled at the estimated rate of target spin. Slight de- 
synchronization will cause an apparent rotation of the target about its actual 
spin axis with frequency equal to the difference between object spin rate and 
camera display cycle rate. This information is used to make fine adjustments 
for final alignment by adjusting the display cycle rate to compensate for the 
frequency difference. The despin sequence may then proceed. 

Despin Package 

The problem of despinning an uncooperative object has been cited as one of 
primary interest in this study. The decision to propose a separate device for 
this operation is the result of safety and performance considerations with respect 
to the shuttle. With a despin package maneuvering about the object at a "safe" 
distance away from a manned vehicle, the risk of bodily harm from a mishap is 
minimized. Crewmen on the shuttle can maneuver a small spacecraft with great 
ease, especially when aligning the package with the target spin axis. 

The despin package is conceived to consist of two major components; tender 

and despin ring. The tender provides all functions required for orbital transfer 

and alignment with the target, while the despin ring performs the actual capture 

of the object. A configuration based on constraints and mission objectives was 

formulated. The complete spacecraft is illustrated in Figure 7, with tender and 

despin ring shown in greater detail in Figures 8 and 9, respectively. Overall 

size of the despin package is limited by the shuttle cargo bay dimensions, proposed 

9 

to be 15 feet in diameter and 60 feet long . This restricts the ring size and, 
in turn, limits the size of objects which can be considered for retrieval. How- 
ever, most objects of interest satisfy this size restriction. The tender is 
configured to allow maximum applied torque from the reaction control system while 
permitting large values of inertias about the ring axis. These innovations will 
minimize propellant requirements and effects of disturbances associated with the 
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Figure 7. Despin Package Shown During Retrieval of OSO 
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despin sequence. Thus, the major dimensions of this main body were selected as 
14 X 14 X 8 feet. Compartments in the four arms contain the power system, 
nitrogen gas reaction control equipment, and command and telemetry system. The 
central cylinder houses the ring spin motor, twin-gyro controllers for the 
attitude control system, a reserve nitrogen tank, and docking drogue. The 
despin ring as conceived here has an inner diameter of 13 feet and an outer 
diameter of 14 feet. The four docking arms extend inward another foot when in 
the retracted position. These arms are independently operated to permit 
capture of arbitrarily shaped objects and can each extend to 6 feet in length. 
Therefore, objects as small as one foot and as large as 11 feet in diameter can 
be handled by the same despin ring. Structural support of this ring is provided 
by four struts as illustrated in Figures 7 and 8. 

The subsystems which make up the despin package may be categorized as 
control, command and telemetry, docking devices, power, and structure. Attitude 
and orbit control systems, in conjunction with remote commands from the shuttle, 
provide maintenance of position and orientation during transfer and docking. 
Twin-gyro controllers were chosen for momentum exchange and nitrogen reaction 
jets for momentum dumping. Since the tender is inertially oriented in the 
attitude maintenance mode there is no first order cross-coupling. Cold gas jets 
have inherently poor performance, but nitrogen gas is relatively safe and easy 
to handle. Fur the mo re , the reaction jet tanks are easily refillable before 
each retrieval sequence. The orbital control system provides thrust impulses 
for transfer to the target and aligns the package with the target spin axis under 
commands from the shuttle. Relative position maintenance is performed by remote 
■commands from the crew. Once the package is aligned, capture should be 
accomplished in a short period of time. Therefore, relative position drift is 
very slight during this time interval, and an automated position control system 
is not required. 

The command and telemetry system incorporates television cameras and two 
antennas, an omnidirectional type for the command and telemetry link, and a 
high gain directional dish for television transmission. The high gain dish 
imposes some constraint on the shuttle stand-off position in order to satisfy 
the viewing requirements for this antenna. One camera is mounted along the ring 
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axis at the center of the support struts, and spins with the ring. This offers 
a very convenient means of synchronizing ring and target spin rates and provides 
a check on alignment. Two other cameras mounted diametrically opposed on the 
central cylinder are used for relative position maintenance through their bifocal 
properties . 

The shuttle/package docking apparatus, shown in Figure 10, consists of a 
folding arm mechanism with probe, docking latches, and tender drogue. The 
folding arm extends a docking probe to a position which is easily observable 
by the pilot. The shuttle then maneuvers to the despin package and upon completion 
of docking, the package is deactivated and retracted into the cargo bay. 

Rescue and Retrieval 

The subject of orbital retrieval naturally gives rise to the question of 
rescue from a space station. Several rescue schemes have been proposed for 
various emergency situations. The one of interest here utilizes an earth-launched, 
manned rescue system, i.e., space shuttle specially equipped for such a mission. 

A typical maneuvering sequence for rescue might be similar to that of a retrieval 
mission except for despinning and docking. It must be pointed out, however, that 
an uncontrolled space station which has suffered a significant attitude perturba- 
tion will in general be tumbling. There is a distinct and unfortunate difference 
between tumbling and spinning. The latter is associated with stabilized rotation 
about a single axis whose direction is inertially fixed and aligned with the 
angular momentum vector. Tumbling motion is associated with a major misalignment 
between angular velocity and angular momentum vectors. This situation is coupled 
with continuous angular motion of all three principal body axes, i.e., no inertially 
oriented axis. Of course, a tumbling body would reach a stable spin state after 
a sufficient amount of energy has been dissipated. However, large bodies such as 
space stations have relatively low dissipation rates and may require several months 
to passively stabilize. 

Astronauts trapped in a tumbling spacecraft could not easily escape and may 
not even be able to move about inside due to the changing nature of accelerations. 
Therefore, rescue from such a situation represents a very different problem and 
one which is likely to arise, because failure of such a station might very well 
be the result of an explosion or collision. Either event would probably cause 
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tumbling and possible loss of attitude control. It is apparent that spacecraft 
attitude motion would have to be arrested before rescue operations could be 
carried out. However, elimination of angular motion of a large tumbling body 
is a very difficult task, because it must be done from a non-tumbling frame. 

A "detumbling package" could not move in such a way as to eliminate relative 
motion, because both the target and detumbling systems cannot simultaneously 
possess the same center of mass location, principal moments of inertia, and 
angular momentum components . 

The space shuttle offers a fast, economical rescue capability. However, 
a great deal of innovation is still needed to develop methods for elimination 
of angular motion of a large body. This appears to be a very difficult task, 
but one which must be done to fulfill a complete space rescue capability. 

Conclusions 

Several of the unique problems of rendezvous and docking with an uncoopera- 
tive object have been considered here. Major areas of concern include the 
determination of spin axis and rate of an arbitrarily shaped body, and the 
problem of despinning such an object. Many assumptions about the mission and 
constraints had to be formulated due to the lack of experience with orbital 
retrieval and space shuttle operations. The large number of uncertainties 
associated with retrieving an uncooperative body indicates a definite need for 
control of the situation by a man. The economic aspects of these missions 
indicate the use of a reusable transportation system. Therefore, a strong case 
can be made for space shuttle application to retrieval operations. 

The principal contributions of this paper are considered to be the formula- 
tion of a general operational sequence for retrieval using the space shuttle, 
development of spin determination methods, and conceptual design of an unmanned 
spacecraft which can despin an uncooperative body. In addition, the technique 
of stand-off parking and intermediate transfer between shuttle and target offers 
safety and increased maneuverability with respect to despinning an object. 
Partial application of the methods used in retrieval may be made to the problem 
of rescue from a space station. The major area of difference is related to 
possible attitude dynamics of a large manned spacecraft. 
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Future studies should yield some optimization of stand-off parking positions 
and transfer trajectories. Further development of the despin package design 
will produce estimates of physical properties and control system responses for 
the various attitude and orbit maneuvers required of the mission. Investiga- 
tions of spin determination methods will eventually lead to a "quick" technique 
for calculating spin rate and orientation. 
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INTRODUCTION 


The control of future spacecraft has reached the threshold of autonomous 
operations. The development of large manned spacecraft for extended earth 
orbital flights and interplanetary exploration demands that the capability 
for more control and mission decisions be on-board. The cost of providing 
ground control for continuous mission monitoring and evaluation for all 
future manned space flights will become prohibitive. It will be impractical 
to dedicate the computer and manpower for the extensive amount of time 
required by planned future manned flights. With space travel becoming more 
routine, the feasibility of controlling each vehicle from the ground becomes 
impractical. The physical size and payload capability of future spacecraft 
will increase the number of vital functions to be monitored and controlled. 

Immediate action in emergencies will require computer diagnosis to assist 
the crew in determining the proper response. Each of the various spacecraft 
will be conducting mission peculiar experiments. These experiments will 
require on-board data reduction and analysis, and the mission timeline will 
depend upon the conclusions drawn from the data. Therefore, this information 
must be immediately available for on-board modifications. 

Because of the nature of any manned spacecraft, the reaction and decision 
time arc critically short and necessitate that a computational subsystem be 
an integral part of the spaceship systems. This computer must not only be 
programmed to automatically control and monitor the spaceship’s functions, but 
must also possess the attributes of speed, accuracy and ease of communication. 
The computer must be integrated into the information system such that decision 
data are effectively displayed In a form which can he analyzed instantaneously. 
Conversely, crew action in responding to alarm situations must be timely and 
with minimum translation. Therefore, the information system must accept data 
in a syntax which conforms to the crew’s vocabulary rather than that of the 
computer. Without these inherent features it would be difficult for the 
spacecraft commander to exercise ultimate authority and responsibility. 

The primary objective of this document is to describe the crew/ computer 
interaction (communications) functions and methods required for future 
space travel. This report summarizes the current results of the Astronaut/ 
Computer Communications Study now in progress at MSEC. The starting point 
in this task is to draw upon the experience which has been gained in the 
space programs by evaluating existing and proposed methods of crew/computer 
interaction. This will result in the characterization of specific criteria 
to form a study baseline establishing trends from which the degree of 
computer automation will be extrapolated. The function of each subsystem 
of the spacecraft will be analyzed to determine the degree of manned and 
automatic control and their interrelationships. 

The ultimate method suggested for future on-board crew/ computer communications 
is voice communications with self- educating computer systems. The methods 
described in this document are not that exotic but are considered as inter- 
mediate solutions to the on-board crew/computer communications. The term 
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’’intermediate ’ 1 is intended to connote a necessary evolutionary step in 
achieving the ultimate solution, not to infer that tetter solutions exist. 

The methods described in this paper are technically feasible and considered 
advanced when compared with conventional systems. They reflect proposed 
hardware and software technology advances anticipated for the period 1973 to 
1980. Although the crew/computer interactive methods described herein do not 
eliminate the needs for knobs and switches as a part of future spacecraft 
cockpit configurations, they do provide a technique for considerably reducing 
the present day requirements. Briefly, the crew/computer communication 
methods presented utilize remote graphic displays for entering data and a 
technology oriented vocabulary for describing tasks to the computer. 

In deriving these techniques, analyses of on-board crew/computer interactive 
functions and methods were conducted. The functions identified as a result 
of these analyses are documented in Section 1 of this report, and the methods 
are discussed in Section 2 . 
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SECTION 1 


FUNCTION CATEGORIES 


In determining on-board crew functions for future spacecraft, an assumption 
was made that future spacecraft would be as autonomous as state-of-the-art 
technology would permit. Ground support functions performed for Gemini and 
Apollo missions were considered as on-board function requirements for future 
spacecraft. To compile a composite list of spacecraft functions an in-depth 
analysis was conducted into the following areas: 

A. Ground support functions required by existing and past spacecraft 
and space missions. 

B. On-board functions required by existing and past spacecraft. 

C. Proposed functions for Space Shuttle. 

A careful investigation of current methods of documenting or listing on-board 
functions of both aircraft and spacecraft disclosed that several techniques 
were used. The more conventional methods were organized by mission timeline, 
mission phase or vehicle hardware subsystems. These techniques were generally 
voluminous in nature and redundant in content; therefore, the organization of 
these functions is considered unsatisfactory. 

The purpose of the study is to define a structured vocabulary and establish 
methods by which space scientists or astronauts can communicate with the on- 
board. computer. In identifying the on-board function by technology or 
disciplines, a structure is established and a direct function, method and 
vocabulary relationship defined. It is for this purpose that the technique 
of grouping related functions into categories was adopted . 

The eight function categories listed below have been, established as a result 
of the analyses conducted in this study. 

ills sion Control — Functions required to monitor and evaluate actual versus 
planned mission data, and to adjust mission plan or correct vehicle performance 
as required to achieve desired mission goals. 

Data Management — Functions required to acquire, process, store, maintain 
and retrieve data as required to support the vehicle and related mission 
functions . 

C ommuni c at ions -- Functions required to select the desired communications 
media (i.e., radio, television, radar, etc.) and related frequency/ channel, 
antenna, and route of communications. 
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Flight Control -- Functions required to maintain vehicle attitude and 
trajectory as required by the flight plan. 

Guidance and Navigation -- Functions required to acquire and reduce G&W data 
so that the vehicle's current versus planned position and trajectory can be 
determined and the degree of deviation and compensating control functions can 
be computed. 

Experiments -- Functions required to perform, monitor, and control experiments 
being performed from space vehicle. 

Maneuver Management -- Functions required to initiate, execute, and evaluate 
success of a vehicle maneuver. 

Operational Status -- Functions required to monitor and maintain vehicle and 
crew operational status. 

The results of this task support the philosophy that each function category 
will have its own interactive hardware and language requirements. This is 
not unreasonable to expect when considering that individual ground disciplines 
have unique computer/communication requirements and that future space languages 
will, by necessity, have to be easy to learn and easy to use. Future space 
missions will find the on-board computer user performing his joh functions 
utilizing language and tools normally associated with his job function and/ 
or discipline. It is also not unreasonable to conceive that all categories 
requirements can be met with one general purpose graphic display terminal. 

Representative function categories determined during evaluation of vehicle 
subsystems will be described in detail. The intent is to define the functions 
comprising three function categories of the eight previously defined and to 
emphasize the requirement (s) for these functions. The format for this 
discussion will present a pictorial overview of the function category being 
described with accompanying prose citing examples for clarity. Many of the 
functions described herein are proposed or anticipated to be operational on 
manned spacecraft such as the Space Shuttle during time frame 1973 to 1980. 

For this reason all functions are discussed collectively as if they were 
operational today. 
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MISSION CONTROL (Figure 1) 


Mission control encompasses sill functions and subfunctions that must be 
performed to assure crew safety and mission success. Basic functions 
associated with this category are: (l) mission planning, (2) mission 

performance monitoring, and (3) commanding. Currently, the performance 
of these functions is a ground support responsibility, but to achieve 
the degree of vehicle autonomy being proposed for Space Shuttle and to 
accomplish future manned space missions (Space Base), mission control 
functions will be required to be performed on-board. This is substantiated 
by the economics and logistics involved in maintaining a dedicated ground 
support mission control center. 

Mission Planning 


Mission planning functions are primarily concerned with the generation and 
maintenance of the mission timeline, a chronological list of mission events 
to be performed. The mission timeline also contains the following data 
related to event performance requirements: 

A. Event support requirements (i.e., subsystems, resources, etc,). 

B. The estimated status of the vehicle and subsystem before and 
after an event Is performed. 

C. Resources and expendables required by the event. 

D. Crew participation requirements. 

E. Ephemeris data associated with the vehicle prior to event 
execution. 

F. Other necessary data required for judgment decision involving 
event execution. 

The mission timeline is also used as a "yardstick" for measuring mission 
performance (i.e., actual requirements versus planned). 

Timeline Event Analysis -- Before scheduling a timeline event the event 
requirements must be Identified to establish the capability of the 
vehicle to perform the event. Once this is established, an analysis 
is conducted of other events already scheduled to identify conflicts 
which could effect event scheduling and performance (i.e., computing 
for resources, counteracting events, etc.). 

Timeline Event Scheduling -- Once the vehicle is found capable of 
performing the event, and the timeline can accommodate the event, the 
event is scheduled. Event scheduling is a tedious task for any event 
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change. A critical analysis must he made of the timeline to determine 
exact times available for event execution and should the event being 
scheduled require a specific time, scheduling conflicts (i.e., resource 
and subsystem availability) must be resolved via predefined shifting or 
rescheduling algorithms. 

Mission Performance Monitoring 


The vehicle "commander" must continuously monitor mission performance, vehicle 
subsystem status and resource utilization rates. In this manner he is able 
to make decisions concerning the mission. For past manned space programs 
(Gemini and Apollo) this activity was performed on the ground with the 
assistance of a large mission control staff. For future manned space 
programs this function will be performed on-board with the assistance of 
the on-board computer and computer software. 

Mission Performance — The performance of the mission is determined by 
comparing actual data generated by the mission in progress with planned 
data generated prior to the mission and predicting mission success based 
on timeline event requirements and new data rates . These functions are 
performed automatically by the on-board computer by comparing the mission 
timeline with data obtained directly from vehicle subsystems . In this 
manner vehicle, crew and schedule performance are determined statistically 
and displayed for information and action by the flight commander. 

Vehicle Subsystem Status — Monitoring vehicle subsystem status is 
another function automatically performed by the computer for the 
"flight commander". 

Resource Utilization Rates -- The flight commander will monitor the 
utilization rates of vehicle hardware and consumables for statistics 
generated by the computer. The raw data used in computing these 
statistics is obtained directly from hardware sensors. Interpretation 
of the computed statistics provides visibility of resource utilization 
performance . 

Mission Commanding 

Commanding functions are those decisions made by the "flight commander" in 
determining the future of the mission being performed. The commander makes 
the final decision whether or not to continue or alter the planned mission 
and implements his decision by issuing commands to effected areas. Commands 
can be verbal orders to crew members, but in many instances commands will be 
computer oriented functions which are initiated by the commander from the 
control and display panel on the mission control console. 

Continue Planned Mission -- Decisions made to continue the planned 
mission will be of the more routine type commanding functions that 
allocate resources, assign tasks and enable computer programs required 
to maintain the planned mission. 
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Alter Planned Mission -- If the "flight commander" decides a mission 
change is required, he must determine: (l) if a modification to the 

planned mission is adequate; (2) if an alternate mission is possible; 
or (3) if an abort situation exists? The ultimate decision will be 
made by the commander considering the mission change requirements and 
the capability of the vehicle and crew to perform. 
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MISSION CONTROL 
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Figure 1. Mission Control Function Breakdown 

























MANEUVER MANAGEMENT (Figure 2) 


Maneuver management is a unique category of functions established to 
coordinate the various interfacing functions required to identify, define, 
and execute a vehicle maneuver. In many instances a maneuver requirement 
will be identified by mission control, in others by flight control. G&N 
determines the control requirements of the maneuver and flight control 
performs the maneuver. The responsibility of maneuver management functions 
is to coordinate function interfaces preparing for the maneuver, executing 
the maneuver, and evaluating success of the maneuver. The functions 
described here are distinguished from those discussed under flight control 
in the flight control is concerned with maintaining a predefined flight 
path. Maneuver management on the other hand is concerned with rendezvous, 
docking, station keeping, and other maneuvers which cease to be trajectory 
oriented . 

Preparation 

Vehicle maneuvers are scheduled on the mission timeline at sufficient time 
intervals to allow for the extensive preparation requirements. A checklist 
of functions must be performed and systems must be initialized in anticipation 
of the maneuver requirements. 

Checklist — Checklist functions are performed to verify condition 
requirements of the maneuver being planned. The checklist is an 
accepted technique for reminding crewmen of the tasks which must be 
performed in verifying the vehicle's operational status and readiness 
to perform the maneuver. Checklist functions for manned space vehicles 
are expanded to include an analysis of the events required to perform 
the maneuver. This analysis establishes the timing and interactive 
function requirements for performing the maneuver. The purpose of 
checklist functions is to minimize, if not eliminate, operating 
problems once maneuver execution is started. 

System Initialization -- Prior to performing a maneuver, vehicle on- 
board systems must be initialized. This requires that the initial 
conditions for respective subsystems be set to accommodate maneuver 
requirements. Some of the suhsi^stems will have components which must 
be enabled before the components respond. (An example of a component 
enable requirement would be hardware settings required for abort 
situations . This enabling technique requires double consideration 
be given the task being performed.) Software as well as hardware 
conditions must be initialized. G&N ephemeris parameters must be 
updated to reflect current status of the vehicle so that any 
accumulated G&N data errors are corrected prior to the maneuver. 
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Execution 


Maneuver execution functions actually schedule the maneuver, initiate the 
sequence of events which perform the maneuver, and monitor the maneuver's 
progress to completion. 

Schedule Maneuver -- Maneuver scheduling functions allocate the actual 
time and time duration for the maneuver, ensuring subsystem and resource 
availability requirements. 

Initiate Sequence of Events -- Initiating the sequence of events is 
described as that function(s) which is required to issue the control 
command(s) that will execute the events which perform the maneuver. 

Monitor Maneuver Progress — • Future manned maneuver progress functions 
will be restricted, almost entirely, to computer interpreted and 
displayed data. Decisions will be based on performance evaluation 
and data being displayed by the on-board computer system. 

Evaluation 

Maneuver management requires both pre- and post-evaluation of maneuvers. 

Checklist Interpretation -- Pre- evaluation of the maneuver is limited 
to the interpretation of data obtained as a result of performing checklist 
functions . 

Position Change Review — Post-evaluation of a maneuver entails a review 
of the maneuver objectives (i.e., position change) and an interpretation 
of the success of the maneuver (i.e., were objectives achieved). 
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MANEUVER MANAGEMENT 



214 


Figure 2. Maneuver Management Function Breakdown 



















OPERATIONAL STATUS (Figure 3) 

Operational status is the term applied to the interactive functions which 
are performed on-hoard the Space Shuttle to maintain the vehicle’s and 
crew’s operating capability. Hie requirement for this type of function 
can be attributed to the proposed mission and vehicle autonomy. To achieve 
these objectives the capability must reside on-board the Space Shuttle to 
detect, diagnose and correct sub -performing systems. This requirement is 
satisfied by the capability provided by the operational status functions. 

Crew 

Maintaining the operational capability of the flight crew is the concern of 
the life support and environmental control functions performed to sustain 
life in a space environment. Crew safety is the major factor in manned 
space flights, and crew operational status functions are designed to detect 
and identify for corrective action any symptoms which could prove hazardous 
to human life. These functions also provide a means for making life in 
space as confortable as possible considering the imposed limitations. 

Life Support -- Life support encompasses those functions which are 
concerned with the physical needs of the body. Specifically, (l) is 
the body medically fit to perform (i.e., mental or physical); ( 2 ) are 
adequate resources available to sustain life (i.e., food, water, oxygen, 
etc.): and (3) is the waste management system sufficient and operational? 

Environmental Control — Environmental control functions maintain cabin 
environment as well as space suit environment. These functions maintain 
a "shirt-sleeve" environment in the space vehicle by controlling the 
temperature, pressure, and atmosphere within the cabin. Future spacecraft 
are being proposed to support an artificial gravity system. This function 
when defined will be considered an environmental control function. 

Vehicle 


Vehicle operational maintenance functions deal with the more popular subjects 
of on-board checkout and electrical requirements. These interactive functions 
permit rapid preflight preparation of the space vehicle and in-flight error 
detection and correction. Primary requirements for vehicle operational status 
functions are in response to vehicle autonomy objectives and proposed long 
duration mission. 

On-board Checkout -- On-board checkout is an obvious function which 
permits on-board hardware subsystem analysis and correction of hardware 
to the line replaceable unit (LRU). A crewman with the assistance of 
the on-board computer can detect hardware faults, avoid faults by 
detecting marginal functioning parts, isolate failures which are not 
immediately apparent, correct the fault, and verify the success of 
the corrective action taken. 
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Electrical -- Electrical functions fire separated from those of on-hoard 
checkout because of the dependence of on-board checkout functions on the 
computer which requires electrical power. Rationale is based on the need 
for trouble shooting power failures in the absence of electrical power. 
For this reason electrical power is separately considered and assigned 
functions for determining and supporting total power requirements, 
allocating the source of power, overall distribution and load leveling 
of power, and of course, its own optional maintenance system. 
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OPERATIONAL STATUS 



217 


Figure 3. Operational Status Function Breakdown 
























SECTION 2 


CREW COMPUTER COMMUNICATION TECHNIQUES 


Early in the study it 130031116 evident that no one crew/ computer communication 
method could he devised to satisfy the requirements of all functions in all 
function categories. The design criteria established for the methods for 
performing on-hoard spaceborne crew functions included: 

A. Flexible in Design — Methods must be "open-ended" for future 
enhancements and readily susceptible to change for ease in 
modification. 

B. "Straight-Forward" in Use -- Methods must be easy to learn and 
easy to apply so as to minimize the training process requirements. 

C. Consistent in Approach -- Methods must be similar in performance 
requirements for different functions in different function 
categories, and methods for performing identical functions for 
different space vehicles must be similar even though the function 
requirement may vary greatly. 

The communication's language developed to support the interactive methods 
is a technology oriented structured vocabulary (i.e., each on-board discipline 
will have an indigenous vocabulary for communicating respective function 
requirements to the computer). Individual discipline languages will be 
accessible through the use of function and CRT line select keys that provide 
a conversational means for selecting the desired language level. The 
conversational approach to obtaining a language allows time for preprocessing 
software and hardware initialization. Many objections appear when maimed 
space flights are discussed along with conversational crew/computer 
communications. One must remember that each discipline is being handled 
separately, and preplanning should solve any critical timing problems . 

The vocabulary structure developed will permit on-board computer users to 
select the language working level conducive to solving the particular 
problem of interest. The language has a function, command and procedural 
level of problem solving capability. The "function" level will perform 
gross task (e.g., display current G&N measurement data); the "command" 
level performs a more controlled task (e.g., display the vehicle's current 
attitude using the inertial reference system); and the procedural level 
will permit finer control over the task being performed. The flexibility 
generated using this technique centers around the users ability to obtain 
the exact data he desires and to chain vocabulary segments to perform even 
more sophisticated tasks. 
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A crew/ computer communication's language is required to overcome the crew/ 
computer interface barrier. Attributes of the language must satisfy the 
interactive requirements of the graphic-display terminal and computer 
without placing undue hardships on the crew. The approach adopted by this 
study as the solution to the above problem was to formulate a function 
oriented structured vocabulary. The objective being to provide each on- 
board discipline a unique command vocabulary for performing related inter- 
active functions and eliminate the need for all crewmen to learn a general 
purpose language and adapt it to their respective job duties. 

The structured vocabulary has four distinct levels which parallel the break- 
down of function categories presented in Section 1. Figure 4 shows the 
relationship of the levels and a description follows: 

A. Category — Refers to eight function categories described in 
Section 1, e.g., Mission Control. 

B. Function — The first level breakout of a function category, 
e.g., Mission Control Planning. 

C. Subfunction — The next level breakout of a function, e.g., 

Mission Control Planning - Timeline Event Analysis. 

D. Vocabulary -- The detailed working level is subdivided into two 
operating modes, procedural and command. 

The prupose of the structured vocabulary is to expedite the location and 
access of the desired function language. This is accomplished through 
keyword association of job functions to technology language. Another 
advantage of a structured vocabulary is that it's easy to program, and 
adapts to an interactive environment. 

The vocabulary level operating modes, "procedural 11 and "command", permit the 
user the option of constructing a complete function for automatic execution 
or performing each task serially. The latter affords the user greater control 
over the function being performed by providing intermediate task results for 
analysis before proceeding to the next task. 

To facilitate further discussion of Space Shuttle crew/computer communication 
methods, a minimum hardware configuration of a remote graphic-display terminal 
is presented (Figure 5) . This particular configuration was selected after 
analysing the common communication requirements of the functions listed in 
Section 1. 

This graphic-display terminal configuration provides an instrument for 
discussion and developing a communication's vocabulary. A discussion of 
the crew/computer hardware/vocabulary interactions are explained in the 
following paragraphs. 
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FIGURE 4 VOCABULARY STRUCTURE BREAKDOWN 
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Procedure Mode 


Reentry procedure for landing at Eglin; alternate Marshall; 
timeline update is auto; retro burn setup is 06:07:45:23* 

(execute) 

Command Mode 

Keys 

Category Select 

Function Select 
Command Key 
Landsite 
Primary Eglin 

'Alternate Marshall 

Timeline (Retro burn setup) 

Execute Sequence Checklist 

Execute Function Reentry Sequence 

The crewman inputs reentry data then computes a cLryrun of the reentry 
event. After dryrun sequence is set for execution and starts monitoring 
procedure. 
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SUMMATION' 


The primary objective of this research effort was to develop advanced crew/ 
computer communication methods applicable to manned spacecraft such as the 
Space Shuttle. It is felt that this objective has been achieved and is 
represented by the defined structured vocabulary. Development of a 
"computerized" structured vocabulary consisting of on-board technology 
oriented languages has become feasible with the advent of language compilers. 
McDonnell Douglas is currently producing such a compiler which provides a 
means for defining syntax in terms of a computer’s machine language. The 
compiler generates a software system which is capable of recognizing and 
analyzing statements written in the defined syntax. The syntax can now be 
used to communicate function requirements to the computer. The McDonnell 
Douglas language compiler, referred to as a Syntax Directed Compiler (SDC), 
is being developed in Huntington Beach, California, and implemented at 
Marshall Space Flight Center, Huntsville, Alabama, The significance of 
this technique is that individual languages can be expanded and/or changed 
without affecting other languages or the operating system. These techniques 
as presented in this document have been implemented at MSFC on an IBM 7094 
and at MDAC-St. Louis in a Space Shuttle simulator. Through these efforts 
this technology has proven effective and usable. 

As a result of the above efforts, MSFC is planning to extend and/or expand 
the vocabulary to meet specific needs of the Space Shuttle missions. 
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II. CRITICAL MISSION PHASES 
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The separation maneuver is mission-critical in nominal and abort cases. Launch pad 
separation is an especially hazardous operation. The separation technique used is as 
follows. As the booster engines are throttled back toward zero for the nominal case, 
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BOOSTER/ORBITER ABORT SEPARATION 
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SEPARATION IS A PRECISE MANEUVER 


III. HAZARD IDENTIFICATION 
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Mission Phase 
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Hazards and Their Potential Sources 
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Potential Source 
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Estimates of Available Correction or Escape Time 
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HAZARD COMPENSATION 
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ESCAPE PROVISIONS GUARANTEE SURVIVAL 



The first abort region is a pad abort during the period cabin closeout to ignition. The 
primary technique for non-critical aborts in this mode is evacuation via the egress ramps 
and the high speed elevators of the gantry. 
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this period, the technique for the "one engine out" case is to thust with the remaining 
engine to attain orbital velocity. Entry would then occur on the first pass (once around). 



At this point the situation may seem "fraught with danger". As stated before, though, if 
the condition is known, meaningful effort can be made to do something about it. 
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characteristics may be inadequate in providing the desired level of safety. 
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INHERENT ABORT CAPABILITY 
Altitude 
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Overpressure is 3 PSI 
After 1.73 Sec 
at a Range of 2725 Feet 
From The Explosion 



OVERPRESSURE DECREASES WIT 
RANGE FROM THE EXPLOSION 



Human Acceleration Limits 
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HUMAN ACCELERATION LIMITS 



247 


ACCELERATION MUST BE APPLIED SELECTIVELY TO MEN 




Escape Provision Requirements 
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e an escape trajectory which is compatible with all possible mission uses 



ESCAPE PROVISION REQMTS VS SHUTTLE 
ASCENT/DESCENT PERFORMANCE 
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ESCAPE SYSTEM ENVELOPE 
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LAUNCH AND LANDING/TAKEOFF ESCAPE 
ENVELOPES ARE INCOMPATIBLE 
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60 000 feet Alt. 
Max Range 
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- Development Flight and Critical Mission Phase Risks Dictate 
Consideration of Booster Escape Capsule and Orbiter Launchpad 
Flyaway Capability or Crew Ejection Seats 



Borel, Emile "Valeur Pratique et Philosophie des Probabilities" Traite du Cacul 
des Probabilities et de ses Applications Tome IV, Fascicule 3. 
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A PROPOSED INCIPIENT FIRE AND TOXIC GAS CAUTION 
AND WARNING SYSTEM FOR SHUTTLE 


Introduction 


Fire detection in the pre-Shuttle era has been on an after the fact 
basis. This situation has not only plagued the Aerospace industry, but 
has been the norm in almost every facet of industrial technology. While 
great strides have been made in the past fifteen years in the fire prevention 
area by the development of non-flammable materials, there are still many 
cases in engineering and design which precludes the use of non-flammable 
materials. While the fire hazard is markedly reduced it still exists. 
Therefore, both the designer and engineer must give careful considerations 
to the what, where, and how materials are used in any system whether for 
earth or space use. In fire prevention, one must consider how to control 
the fuels, that is, its non-flammability in the anticipated environment. 
Electrical shorts and other ignition sources must be minimized. In 
addition, the amounts and placement of flammable materials must be 
adjusted so that if a fire does occur, catastrophic events are prevented. 

As long as the designer and engineer are cognizant of these factors for 
ground system use, he can generally accept some calculated risks. Or, 
if he wishes to go one step further he might add a fire warning and control 
system which will provide an additional time factor in order to react to 
put out the fire, since pre -combustion and combustion times are generally 
of longer duration on earth. However, in space, it is another matter to 
both control and prevent fires since secondary problems of smoke, toxicity, 
and escape become major factors in personnel logistics. Therefore, along 
with trying to have the best non-ignitable materials and configuration, your 
ultimate goal in space is to buy time for the crew to react in case a fire is 
about to occur. The problem of buying time at present has no easy solution 
because technology has lagged in this area. I'm sure that my previous 
statement may be cause for some heated discussion; however, when all of 
the factors are taken into account, all fire and smoke warning devices have 
vulnerable spots. Even those devices now available which call themselves 
fire precursor warning methods are subject to question. All the devices in 
both categories mentioned are either non-specific, that is, subject to 
interferences or they are insensitive. Thus the false alarm nature of these 
techniques markedly decrease their usefulness because in space we cannot 
afford to cry Wolf. 
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Discussion 


NASA has been looking into the area of fire caution and warning 
systems quite carefully in the past few years. While we don't claim any 
panacea in this area, we are looking at some rather interesting techniques 
which could result in a possible breakthrough in the area of buying time for 
either the Shuttle or Space Station crews {Figure 1). We have classified 
fire detectors as primary and secondary types. While several of the 
systems that are called out have obviously been around for some time, 
they are worthy of consideration for certain applications. In addition, 
we believe that in-depth testing is required to uncover their advantages 
and disadvantages. This re-evaluation is being done to probe through the 
smoke laid down by our sometimes over zealous salesmen. I do not intend 
to cover the world of detection but rather address myself to one rather 
interesting system which we at MSFC have been studying for the past two 
years. That is the correlation spectrometer/interferometer technology 
as it applies to fire precursor and toxic gas detection for Shuttle. 

Figure 2 shows a typical fire curve. Primarily for some undefined time, 
depending upon conditions, the ignitor and fuel tend to heat up. During this 
process, pyrolysis products are formed which vaporize into environment. 

As the material continues to increase in temperature, prior to its reaching 
its autoignition temperature, smoke is produced giving a possible visible 
indication of impending fire. At the material's autoignition point, the vapor 
being produced will burst into flame accompanied by an increase in heat and 
pressure. Figure 3 compares the fire risk in space versus earth. 

The major problem facing the successful implementation of remote 
optical detection is the rejection of background spectra. While suitable 
sensitivity is available for the gases of interest, the large number, and at 
present totally unknown concentrations of other gases in the Shuttle, drive 
the instrument design toward the ultimate available specificity. A 
difficult route to follow since there is insufficient criteria for how good 
the system needs to be. However, this' chasm does not seem to be un- 
bridgeable based upon in-house studies at MSFC and the available results 
of Contract NAS8-26197 with Arthur D 0 Little, Incorporated. From these 
data, it appeares that correlation spectrometer /interferometer techniques 
is one of the most promising of all available systems (Figure 4). 

While the ultimate in sophistication would be a scanning correlation 
interferometer with computer data reduction and readout^ this concept 
cannot be developed within the time frame of the Shuttle. In order to 
obtain the maximum in specificity and sensitivity, keep the packaging, and 
power consumption to a minimum with high degree reliability, it was 
decided that the best approach to home in on, for the immediate future, was 
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PRIMARY TYPES 


CONDENSATION NUCLEI COUNTER 
IONIZATION DETECTORS 
SMOKE DETECTORS 

CORRELATION SPECTROMETER/INTERFEROMETER 
UV/IR DETECTORS 
CONTINUOUS WIRE THERMISTORS 
TEMPERATURE SENSITIVE PAINTS 
TRACER ELEMENTS 

SECONDARY TYPES 

THERMAL CONDUCTIVITY BRIDGE 
CATALYTIC WIRE BRIDGE 
MASS SPECTROMETER 
GAS CHROMATOGRAPHY 
R.F. DETECTORS 


Figure 1. Types of Fire Detectors 
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FIGURE 2 - Typical fire curve. 
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Figure 3. Comparative Considerations of Fire Risks in Space vs Earth 




Out 

FIGURE 4.- SCHEMATIC DIAGRAM OF CORRELATION INTERFEROMETER 



the correlation gas filter concept. However, since the weak points of the 
gas filters are the same as those inherent with the non-dispe rsive infrared 
system, namely background rejection, we would have to circumvent this 
problem by some means. Since the requirement of background rejection 
is of utmost importance, the instrument must be based on the use of spectral 
fine strticture whose Lorentz line half widths are on the order of 0.1 cm - ^ 
or greater. Also in order for the high resolution instrument to be capable 
of separating distinguishing features, the gases selected must have vibrational 
mode with low moments of inertia. 

Fortunately, some information can be gleaned on the pyrolysis 
products of materials selected for Shuttle interior. From this information, 
we were able to select eight potential candidates to use as incipient fire 
precursors (Figure 5). Of the eight potential candidates as based upon high 
resolution spectra and a tentative evaluation of possible interfering gas 
spectra, it appears that the leading candidates to be used are COF 2 and SiF^.. 
However, monitoring these two gases only, will not suffice due to some minor 
interferences. In order to rely on the data we will have to monitor the 
background for CO 2 and H 2 O in the case of COF 2 and CO in the case of SiF^. 
COF 2 (at 0.6 torr partial pressure) shows resolvable rotational fine 
structure between 1894 and 197 3 cm - ^ and between 232 5 and 2650 cm'l The 
average line spacings and half widths are 0. 34 cm'l and 0, 18 c m“l under 
an air atmosphere. The line half widths for the pure gas was found to be 
0. 03 cm - ^. SiF^ has line spacings and Lorentz half widths of 0. 50 cm”^ 
and 0. 18 cm - ^, respectively, under a nitrogen atmosphere in the region 
between 1917 and 2099 cm - ^. 

By utilizing a detection system capable of analyzing for the most likely 
fire precursor or precursors plus those causing background interference, it 
is believed that a highly reliable incipient fire and toxic gas caution and 
warning system can be developed for the Shuttle. 

Based upon this rationale, we have established some very preliminary 
parameter goals for our caution and warning system (Figure 6). In 
addition, the simplest systems would have to provide spectral information 
without being transformed either to space directly (dispersion) or to space 
by way of time (interferometry). This can be accomplished by one of three 
methods; either as a specific spectral filter mask or by negative or positive 
adsorption filtering. The best approach is the use of the spectral filter 
mask; however, this not only increases the system complexity, but also 
degrades its long term reliability. 

A simple gas filled optical cell used as an absorption filter for the 
spectral lines produces what can be called a "negative filter" in the sense 
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Figure 5. Spectral Characteristics of Gases of Interest 



Optical Path Length 1 meter 

Minimum Detectable" Par tial Pressure. (Typ) <10 ^ atm 

Spectral Region As required 

(probably 2p-5y) 


Response Time 

Number of Gases to be Monitored 


<30 seconds 
6 or more 


Size, Volume, Weight 


Minimum 


Lifetime 


2 years 


Figure 6. Required System Parameters 
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that it removes the spectral signature of interest while passing all of the 
background information between the absorption lines. In general, using 
only negative filtering leads to a system in which the detector/electronic 
subsystem must discriminate and detect on the basis of very small changes 
in a large signal (typically changes on the order of 1 part in 10+5 to io+7 
for the problem at hand). 

Commercial instruments have been built utilizing such negative filter, 
but positive filtering concepts have a distinctive advantage. The common 
implementation of these involves the use of a pneumatic detector that con- 
tains the gas of interest. Infrared absorption takes place only at the lines 
or bands of interest; thus significantly reducing the radiation load on the 
detector to just the wavelengths of interest. 

An alternative approach has been suggested in which "positive filtering" 
is achieved. In this configuration, the gas sample and the associated optical 
system pass radiation only in the spectral intervals corresponding to the 
absorption lines of interest. The system consists of a interferometer which 
is adjusted so that there is zero path difference in the two arms, and there 
is destructive interference at the output for all wavelengths, i. e. , the 
interferometer is effectively opaque. Then a sample of the gas of interest is 
placed in one arm and the anomalous refraction in and near the absorption 
lines changes one path by many wavelengths. The condition of destructive 
interference is upset at those wavelengths and radiation passes through the 
system only at those specific wavelengths. A positive filtering system 
generally leads to smaller signals, but much larger percentage modulation 
for detection and discrimination. 

If either one of these approaches is used in a simple level detection 
device, it would be vulnerable to changes in the background level and the 
presence of spurious absorption bands. Sensitivity to background (or source) 
level can be completely eliminated and susceptibility to false alarms greatly 
reduced by combining the two techniques to determine the relative change in 
absorption of the lines of interest and the spectral region between the lines. 

An effective and compact configuration for accomplishing this is shown 
in Figure 7. The basic positive filter interferometer is set up and the 
radiation at the wavelengths of the absorption lines appears in the lower 
output beam. One of the interferometer mirrors is made partially 
transmitting allowing the "negative filtered" radiation to escape the inter- 
ferometer. A second gas cell may be necessary to obtain a sufficient amount 
of negative filtering. In any event, this radiation (upper beam) is passed 
through an optical attenuator so that its total power exactly equals the 
positively filtered beam when none of the gas of interest is in the sample path. 
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partially transmitting 
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Figure 7. Schematic Layout of Gas Filter Correlating Sensor 



The strength of the two beams is compared by alternately directing them to a 
single detector. A signal processing block diagram is shown in Figure 8, The 
difference between the two beams is determined by the a,c, portion of the detec- 
tor signal and the d.c, level is neglected. Synchronous detection of the sig- 
nal is used with the rotation or a change in broad absorption band which covers 
both the positively filtered lines and the negatively filtered region, the 
radiation levels in the two beams change by the same percentage and there is 
no signal difference introduced. Positive signals (in phase) indicate the 
radiation in the absorption bands has fallen off and the gas of interest is 
present. Negative signals indicate that something in the background between 
the absorption lines of interest is beginning to absorb. This negative signal 
would be nulled out either optically (by varying the attenuator), or electrically 
to preserve the threshold setting of the alarm. Interruption of the beams or a 
gross loss in transmission from the source would be used to sound an "inopera- 
tive" alarm. 

If there were interfering gases in the background, i,e,, gases with 
absorption lines overlapping those of the gas of interest, the blocking filter 
at the sensor input could include negative filtering by a cell filled with the 
offending gas. 

In the present stage of development, we now have an engineering breadboard 
in operation (Figure 9) and testing is now underway to determine its sensitivity 
(signal to noise ratio), stability, specificity and susceptibility to inter- 
ference, nature of the stored reference, capability of being used in multigas 
analysis, and equipment complexity. Gas sampling techniques and capabilities 
are also being evaluated as well. One technique is obviously by use of a finite 
dimensional gas cell where samples from a given "black box" or locale can be 
assayed. The second concept is to evaluate the ability of the unit to be used 
for area monitoring. If the second concept is found to be feasible two correla- 
tion gas filters can be used for the purpose of triangulating in on a potential 
fire source. 

The contemplated flight unit based upon present estimates will be modular 
in nature. Each module will be approximately 5 cm 2 by 15 cm long. Six modules 
are expected to make up the total package. 
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level Interrupt 

det. . — alarm 



Figure 8. Block Diagram of Gas Filter Cell Instrument 














Conclusions 


Based upon present evidence, the gas filter cell offers the ultimate 
in background rejection. Not only does the gas filter cell offer sensitivity 
as good as the other systems, but its inherent throughput advantage offers 
more ultimate sensitivity at the expense of some source power. The most 
difficult problem in implementing the gas filter cell is making stable 
reference samples for the two-year lifetime. It Is believed that the 
individual gas cell sensor can be made into a small, compact, and 
reliable instrument. However, multiple gas monitoring will probably 
require parallel optical systems. 

Based upon present data, the amount of toxic gas required to 
implement the system will be insufficient to be a significant hazard in 
the spacecraft. Also, this approach is believed to offer the most 
convenient changes in gas of interest - simply add a sensor for the new 
species without changing any of the existing system. 
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FIRE PROTECTION DESIGN FOR SHUTTLE 
G. F. Ard 

NASA, Kennedy Space Center, Florida 


I. INTRODUCTION 

A. The objectives of the fire protection systems at KSC are, in order of priority: 

1. Protection of personnel. 

2. Protection of facilities. 

3. Protection of flight hardware. 

B. Specific restrictions to systems are: 

1. There will be no automatic activation of water systems capable of 
spraying on flight hardware except where the system should be intentionally armed for 
automatic operation during a specific set of circumstances or conditions. 

2. Two manual operating functions, with logic to prevent inadvertent 
operation, will be required to turn the water on. 

3. Separate electrical circuitry between operating switches and valves 

should be provided so as to prevent inadvertent activation by a single electrical short. 

II. SHUTTLE FLOW THROUGH THE FACILITIES (Figure 1) 

A. Vehicle Assembly Building (Figure 2) 

1. Assembly of Major Structural Elements 

2. Test and Checkout of Flight Systems 

3. Mating and Checkout 

4. Component or System Overhaul and Maintenance 
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Figure 1. Shuttle Flow through Facilities 





Figure 2. KSC - VAB WITH ADDITION TO NORTH END - HORIZONTAL 

TO PAD TRANSPORT 






B. 


Launch Pad (Figure 3) 


1. System Preparation & Test 

2. CDDT 

3. Propellant and Cryo Loading 

4. Launch Countdown 

C. Landing Area (Includes air-breather engine run up) (Figure 4) 

D. Safing Area (Figure 4) 

1. Venting, LOX and GH 2 

2. Purging and Passifying Systems 

3. Loading JP Fuel 

4. Cargo and Crew Off-loading 

III. SYSTEMS AVAILABLE - HAZARD RELATIONSHIP 

A. Vehicle Assembly Building 

1. This building is part sprinklered. Sprinkler protection has been 
provided for combustible and flammable storage areas. 

2. The extensible platforms in the High Bays are protected by open 
nozzle deluge systems. These systems have three modes of operation: automatic, 
manual, and off. 

3. The existing systems provide protection against a fire from gaining 
such proportions as to seriously expose ordnance to excessive temperatures with 
possible explosion. 

4. A new spill (JP) containment, drain, disposal and water wash-down 
should be provided. Dikes with removable sections for traffic flow should be provided. 

5. Certain inaccessible densely loaded compartments of the shuttle 
stages should be designed to receive an extinguishing and/or inerting media. The 
media has not been selected. Portable equipment should be connected and ready to 
support during test and checkout. 
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Figure 3. LAUNCH PAD 39 WITH SHUTTLE ON MOBILE LAUNCH 
VERTICAL TRANSPORT TO PAD CONCEPT 






282 


Figure 4. KSC - VAB WITH ADDITION TO NORTH END - VERTICAL 

TRANSPORT TO PAD 





B. Launch Pad (Base Line - Vertical Concept) 

1. The Launch Umbilical Tower (LUT) has open nozzle water deluge 
systems on approximately 50% of the work levels plus the egress paths. 

2. The existing systems will be modified as necessary to provide 
protection at the required shuttle work levels, 

3. An additional egress route will be established and protected with open 
nozzle water spray. 

4. As stated previously, portable equipment will be connected to the 
flight hardware compartments and placed in a ready to support made during periods of 
hazardous operations. 

5. With our existing Single Failure Point philosophy and a change to 
simultaneous flow of LH 2 and LOX, the fire protection systems will be designed to 
contain and/or extinguish a fire. Reducing the probability of an explosion is a separate 
subject. 

6. Related to fire protection is response time and procedures of the fire 
fighting and rescue personnel. New concepts for the rescue of sixteen (16) crew and 
passengers will have to be developed based on final configuration of and access to 
the shuttle stages. The existing slidewire and elevators will require modification if 
they are retained. 

C. Landing Area 

1. Mobile equipment will be used to provide a 2" thick layer of protein 
foam on the runway. Additional mobile foam equipment will be available for covering 
the shuttle stage wherever it stops if required. This same equipment will then be 
available for protection at other locations during ground cycle. 

2. Water pumper units will be provided. 

3. Halon 2402, Dibromotetrafluoroethane, CBrF2CBj.F2 has possibilities 
for outdoor use and will be considered. 

D. Safing Area 

1. An installed protein foam system is highly recommended. Some of the 
discharge nozzles will be directionally controlled. 

2. A water deluge system will be provided which can also be used for 
cooling or wash down. 
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IV. The extinguishing media that will be considered are: 

A. Water and Water Additives 

B. Foam 

1. Hi Expansion 

2. Protein 

3. Light Water 

C. Gaseous 

1. Nitrogen 

2. C0 2 

3. Halon 1301 and 2402 

D. Dry Powder 
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